Malware Analysis Report

2025-08-10 22:52

Sample ID 240107-x2wnxsdcb7
Target a511396442a36431fa575db4a1db79be.exe
SHA256 7daaabc1b929c83288bc103aa3b60d23df7e17d3616ec899027abf08cb7efce3
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7daaabc1b929c83288bc103aa3b60d23df7e17d3616ec899027abf08cb7efce3

Threat Level: Known bad

The file a511396442a36431fa575db4a1db79be.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Windows security modification

Loads dropped DLL

Modifies WinLogon

Enumerates connected drives

Adds Run key to start application

AutoIT Executable

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 19:21

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 19:21

Reported

2024-01-07 19:24

Platform

win7-20231215-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\adrdxbdmqe.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\adrdxbdmqe.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\adrdxbdmqe.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\adrdxbdmqe.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\adrdxbdmqe.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "kbkesefmoavhy.exe" C:\Windows\SysWOW64\bfvitizwsuhskrd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uzymgvve = "adrdxbdmqe.exe" C:\Windows\SysWOW64\bfvitizwsuhskrd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\krudpgcd = "bfvitizwsuhskrd.exe" C:\Windows\SysWOW64\bfvitizwsuhskrd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\v: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\adrdxbdmqe.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\adrdxbdmqe.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\adrdxbdmqe.exe C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
File opened for modification C:\Windows\SysWOW64\bfvitizwsuhskrd.exe C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
File created C:\Windows\SysWOW64\mkdmbpui.exe C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
File opened for modification C:\Windows\SysWOW64\kbkesefmoavhy.exe C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
File created C:\Windows\SysWOW64\adrdxbdmqe.exe C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
File created C:\Windows\SysWOW64\bfvitizwsuhskrd.exe C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
File opened for modification C:\Windows\SysWOW64\mkdmbpui.exe C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
File created C:\Windows\SysWOW64\kbkesefmoavhy.exe C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\mkdmbpui.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\mkdmbpui.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\mkdmbpui.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\mkdmbpui.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC70814E7DABFB9BB7CE3EDE434CD" C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33422C7C9D5283206D3476D270222CAC7C8F64DC" C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
N/A N/A C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
N/A N/A C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
N/A N/A C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
N/A N/A C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
N/A N/A C:\Windows\SysWOW64\adrdxbdmqe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
N/A N/A C:\Windows\SysWOW64\mkdmbpui.exe N/A
N/A N/A C:\Windows\SysWOW64\mkdmbpui.exe N/A
N/A N/A C:\Windows\SysWOW64\mkdmbpui.exe N/A
N/A N/A C:\Windows\SysWOW64\mkdmbpui.exe N/A
N/A N/A C:\Windows\SysWOW64\kbkesefmoavhy.exe N/A
N/A N/A C:\Windows\SysWOW64\kbkesefmoavhy.exe N/A
N/A N/A C:\Windows\SysWOW64\kbkesefmoavhy.exe N/A
N/A N/A C:\Windows\SysWOW64\kbkesefmoavhy.exe N/A
N/A N/A C:\Windows\SysWOW64\kbkesefmoavhy.exe N/A
N/A N/A C:\Windows\SysWOW64\kbkesefmoavhy.exe N/A
N/A N/A C:\Windows\SysWOW64\bfvitizwsuhskrd.exe N/A
N/A N/A C:\Windows\SysWOW64\bfvitizwsuhskrd.exe N/A
N/A N/A C:\Windows\SysWOW64\bfvitizwsuhskrd.exe N/A
N/A N/A C:\Windows\SysWOW64\bfvitizwsuhskrd.exe N/A
N/A N/A C:\Windows\SysWOW64\bfvitizwsuhskrd.exe N/A
N/A N/A C:\Windows\SysWOW64\mkdmbpui.exe N/A
N/A N/A C:\Windows\SysWOW64\mkdmbpui.exe N/A
N/A N/A C:\Windows\SysWOW64\mkdmbpui.exe N/A
N/A N/A C:\Windows\SysWOW64\mkdmbpui.exe N/A
N/A N/A C:\Windows\SysWOW64\bfvitizwsuhskrd.exe N/A
N/A N/A C:\Windows\SysWOW64\kbkesefmoavhy.exe N/A
N/A N/A C:\Windows\SysWOW64\kbkesefmoavhy.exe N/A
N/A N/A C:\Windows\SysWOW64\bfvitizwsuhskrd.exe N/A
N/A N/A C:\Windows\SysWOW64\bfvitizwsuhskrd.exe N/A
N/A N/A C:\Windows\SysWOW64\kbkesefmoavhy.exe N/A
N/A N/A C:\Windows\SysWOW64\kbkesefmoavhy.exe N/A
N/A N/A C:\Windows\SysWOW64\bfvitizwsuhskrd.exe N/A
N/A N/A C:\Windows\SysWOW64\kbkesefmoavhy.exe N/A
N/A N/A C:\Windows\SysWOW64\kbkesefmoavhy.exe N/A
N/A N/A C:\Windows\SysWOW64\bfvitizwsuhskrd.exe N/A
N/A N/A C:\Windows\SysWOW64\kbkesefmoavhy.exe N/A
N/A N/A C:\Windows\SysWOW64\kbkesefmoavhy.exe N/A
N/A N/A C:\Windows\SysWOW64\bfvitizwsuhskrd.exe N/A
N/A N/A C:\Windows\SysWOW64\kbkesefmoavhy.exe N/A
N/A N/A C:\Windows\SysWOW64\kbkesefmoavhy.exe N/A
N/A N/A C:\Windows\SysWOW64\bfvitizwsuhskrd.exe N/A
N/A N/A C:\Windows\SysWOW64\kbkesefmoavhy.exe N/A
N/A N/A C:\Windows\SysWOW64\kbkesefmoavhy.exe N/A
N/A N/A C:\Windows\SysWOW64\bfvitizwsuhskrd.exe N/A
N/A N/A C:\Windows\SysWOW64\kbkesefmoavhy.exe N/A
N/A N/A C:\Windows\SysWOW64\kbkesefmoavhy.exe N/A
N/A N/A C:\Windows\SysWOW64\bfvitizwsuhskrd.exe N/A
N/A N/A C:\Windows\SysWOW64\kbkesefmoavhy.exe N/A
N/A N/A C:\Windows\SysWOW64\kbkesefmoavhy.exe N/A
N/A N/A C:\Windows\SysWOW64\bfvitizwsuhskrd.exe N/A
N/A N/A C:\Windows\SysWOW64\kbkesefmoavhy.exe N/A
N/A N/A C:\Windows\SysWOW64\kbkesefmoavhy.exe N/A
N/A N/A C:\Windows\SysWOW64\bfvitizwsuhskrd.exe N/A
N/A N/A C:\Windows\SysWOW64\kbkesefmoavhy.exe N/A
N/A N/A C:\Windows\SysWOW64\kbkesefmoavhy.exe N/A
N/A N/A C:\Windows\SysWOW64\bfvitizwsuhskrd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Windows\SysWOW64\adrdxbdmqe.exe
PID 2904 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Windows\SysWOW64\adrdxbdmqe.exe
PID 2904 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Windows\SysWOW64\adrdxbdmqe.exe
PID 2904 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Windows\SysWOW64\adrdxbdmqe.exe
PID 2904 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Windows\SysWOW64\bfvitizwsuhskrd.exe
PID 2904 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Windows\SysWOW64\bfvitizwsuhskrd.exe
PID 2904 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Windows\SysWOW64\bfvitizwsuhskrd.exe
PID 2904 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Windows\SysWOW64\bfvitizwsuhskrd.exe
PID 2904 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Windows\SysWOW64\mkdmbpui.exe
PID 2904 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Windows\SysWOW64\mkdmbpui.exe
PID 2904 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Windows\SysWOW64\mkdmbpui.exe
PID 2904 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Windows\SysWOW64\mkdmbpui.exe
PID 2904 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Windows\SysWOW64\kbkesefmoavhy.exe
PID 2904 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Windows\SysWOW64\kbkesefmoavhy.exe
PID 2904 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Windows\SysWOW64\kbkesefmoavhy.exe
PID 2904 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Windows\SysWOW64\kbkesefmoavhy.exe
PID 2728 wrote to memory of 2692 N/A C:\Windows\SysWOW64\adrdxbdmqe.exe C:\Windows\SysWOW64\mkdmbpui.exe
PID 2728 wrote to memory of 2692 N/A C:\Windows\SysWOW64\adrdxbdmqe.exe C:\Windows\SysWOW64\mkdmbpui.exe
PID 2728 wrote to memory of 2692 N/A C:\Windows\SysWOW64\adrdxbdmqe.exe C:\Windows\SysWOW64\mkdmbpui.exe
PID 2728 wrote to memory of 2692 N/A C:\Windows\SysWOW64\adrdxbdmqe.exe C:\Windows\SysWOW64\mkdmbpui.exe
PID 2904 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2904 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2904 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2904 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 3064 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 3064 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 3064 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 3064 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe

"C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe"

C:\Windows\SysWOW64\adrdxbdmqe.exe

adrdxbdmqe.exe

C:\Windows\SysWOW64\bfvitizwsuhskrd.exe

bfvitizwsuhskrd.exe

C:\Windows\SysWOW64\mkdmbpui.exe

mkdmbpui.exe

C:\Windows\SysWOW64\kbkesefmoavhy.exe

kbkesefmoavhy.exe

C:\Windows\SysWOW64\mkdmbpui.exe

C:\Windows\system32\mkdmbpui.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2904-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\bfvitizwsuhskrd.exe

MD5 fab0de4e047791d425ef9f15045775eb
SHA1 03ae04329b402d046c2fb20e1313ab67c4e6352f
SHA256 a912bcc68e2db706da8efacf01a2be91a025c616d1c4658a1bdf53bac56a5fff
SHA512 616cb8efc90f1f069bb28ae84c3e3124bea9817194cf2fbb5b3b7eac9e2dd2af96bc59ceb48257baa489b8545c3820180a2b3ec0e747b2cf650aa9ab2eb39a00

\Windows\SysWOW64\adrdxbdmqe.exe

MD5 1feb1e3dffb4d687281740533add7a9b
SHA1 79b18134209185f0218703de4ad2a8315f3ac3ab
SHA256 2e1c03cfd7968d39098216c4bd758295aab5afc4877eb5e195a672b5a4975fc9
SHA512 9713ee296d3e2e0a15ac72b2e4366e9e28366525d53e34b105c98b48be0f61df1e3ecf318aee2aeb04b8de66f15a7b72e35388bbe9369c1e2e22400877e8920c

\Windows\SysWOW64\mkdmbpui.exe

MD5 c8225c84921e93249ce55a91e0b7ee43
SHA1 7a3960efac43851a159a84a283cacf6ab3b52e17
SHA256 3084a12a18535a65c9c1928563d2792a931439bf6f01be554012061952f304c6
SHA512 3b2a66d60a7d75a4d19785d75e9807b54a33d90631d930a83ca28e4f87acf0efb8aa7e4443f9feb4af4aac79c477b7c2843bdec8f069923afe94ec2610589d84

\Windows\SysWOW64\kbkesefmoavhy.exe

MD5 0dbc3532d76c284123fcf924aff86bb1
SHA1 8e17c10eacdfec4e179afbff567d20ce5a6991c1
SHA256 2c6212e9b2fec0785373e72da0df9805eaf9b6e78464acc8d43d14847ff440bb
SHA512 b519337acef6d0e1106ed2bba514404f36ef01d8a3bf65f315cffc9a18eec09a1ca72a823bfe61119c3bd2646c61d7b63b549d7f5b7b9d20a3b249248a9d138d

memory/3064-45-0x000000002FE41000-0x000000002FE42000-memory.dmp

memory/3064-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/3064-47-0x0000000070D4D000-0x0000000070D58000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 db08ef2d2035b97badadd2d116b6603c
SHA1 724a1139e810e14403ef637dd4a426c3ee7ccfa8
SHA256 4e8704faa4e94871f4a7ac57482fc5c76f58ec1ca7e82b15806ec409d5f2f907
SHA512 b5dfc32bc817f2d6538f15f09f874d384e0575a8f56b517f22a378c6af03e713021bd0ac58de87eab9bfbc044e1ac728359db814bd20b5f9f02d852cf7d0ef3c

C:\Users\Admin\Downloads\ResetCopy.doc.exe

MD5 3a9d2f8dbf861965838dbd3044a18c04
SHA1 41cf2b3aac72afe709855a7b91713c1711bf94e7
SHA256 67e74ea2548cb43760cc1a31baeea606c34cdf50c6937dd867f559e560c65e53
SHA512 4e8553d2f1c28f2e08cfcce39bb12e181701d810ee778b10019dd619a895c14699308ab979afa193f4d8b5e6ded2be0da523f3e98f9c6addf97875614b86bc88

memory/3064-82-0x0000000070D4D000-0x0000000070D58000-memory.dmp

memory/3064-103-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 a954e93bc5437829cfd90c7fae875eb6
SHA1 c99479ec22b7744f10064c3deda057c76d3c74bc
SHA256 cd56595a7ab1f1315e8924d9d868e917408b10221c2b5457103b28b3b41f31e6
SHA512 9c2a684ded015df0c4103bd2d7f973c90ea57d0214279f998d3b067991917f989d759d348ca9ed4f5d617cb5d35fbd6c3b2f954b20426f276d5010fbb5a0ecb3

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 19:21

Reported

2024-01-07 19:24

Platform

win10v2004-20231222-en

Max time kernel

1s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\gqrvcvfvws.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\gqrvcvfvws.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\gqrvcvfvws.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\gqrvcvfvws.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\gqrvcvfvws.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uctdpphw = "gqrvcvfvws.exe" C:\Windows\SysWOW64\ockacaabryqpnuw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\luxzuzux = "ockacaabryqpnuw.exe" C:\Windows\SysWOW64\ockacaabryqpnuw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vqssoglepddkl.exe" C:\Windows\SysWOW64\ockacaabryqpnuw.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\w: C:\Windows\SysWOW64\nnkerwzo.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\nnkerwzo.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\nnkerwzo.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\nnkerwzo.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\nnkerwzo.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\nnkerwzo.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\nnkerwzo.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\nnkerwzo.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\nnkerwzo.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\nnkerwzo.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\nnkerwzo.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\nnkerwzo.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\nnkerwzo.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\nnkerwzo.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\nnkerwzo.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\nnkerwzo.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\nnkerwzo.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\nnkerwzo.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\nnkerwzo.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\nnkerwzo.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\nnkerwzo.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\nnkerwzo.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\nnkerwzo.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\gqrvcvfvws.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ockacaabryqpnuw.exe C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
File opened for modification C:\Windows\SysWOW64\ockacaabryqpnuw.exe C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
File opened for modification C:\Windows\SysWOW64\nnkerwzo.exe C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
File opened for modification C:\Windows\SysWOW64\vqssoglepddkl.exe C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
File created C:\Windows\SysWOW64\gqrvcvfvws.exe C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
File opened for modification C:\Windows\SysWOW64\gqrvcvfvws.exe C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
File created C:\Windows\SysWOW64\nnkerwzo.exe C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
File created C:\Windows\SysWOW64\vqssoglepddkl.exe C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAFACEF966F19883083B40869A3993B38D03FD42690239E1BF459E09D4" C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8CFCF94F5A82129137D7207DE0BD93E632594367436335D798" C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F46BB6FF1B21DCD10BD1D58A0E9014" C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33442D799D5282596A3F77D670202DD87CF265DA" C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184CC7741493DBB1B9C17F97ECE237BA" C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC5B15D47E5399852CCB9D5339FD7C9" C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\gqrvcvfvws.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe N/A
N/A N/A C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
N/A N/A C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
N/A N/A C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
N/A N/A C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
N/A N/A C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
N/A N/A C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
N/A N/A C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
N/A N/A C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
N/A N/A C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
N/A N/A C:\Windows\SysWOW64\gqrvcvfvws.exe N/A
N/A N/A C:\Windows\SysWOW64\ockacaabryqpnuw.exe N/A
N/A N/A C:\Windows\SysWOW64\ockacaabryqpnuw.exe N/A
N/A N/A C:\Windows\SysWOW64\ockacaabryqpnuw.exe N/A
N/A N/A C:\Windows\SysWOW64\ockacaabryqpnuw.exe N/A
N/A N/A C:\Windows\SysWOW64\ockacaabryqpnuw.exe N/A
N/A N/A C:\Windows\SysWOW64\ockacaabryqpnuw.exe N/A
N/A N/A C:\Windows\SysWOW64\ockacaabryqpnuw.exe N/A
N/A N/A C:\Windows\SysWOW64\ockacaabryqpnuw.exe N/A
N/A N/A C:\Windows\SysWOW64\nnkerwzo.exe N/A
N/A N/A C:\Windows\SysWOW64\nnkerwzo.exe N/A
N/A N/A C:\Windows\SysWOW64\nnkerwzo.exe N/A
N/A N/A C:\Windows\SysWOW64\nnkerwzo.exe N/A
N/A N/A C:\Windows\SysWOW64\nnkerwzo.exe N/A
N/A N/A C:\Windows\SysWOW64\nnkerwzo.exe N/A
N/A N/A C:\Windows\SysWOW64\nnkerwzo.exe N/A
N/A N/A C:\Windows\SysWOW64\nnkerwzo.exe N/A
N/A N/A C:\Windows\SysWOW64\ockacaabryqpnuw.exe N/A
N/A N/A C:\Windows\SysWOW64\ockacaabryqpnuw.exe N/A
N/A N/A C:\Windows\SysWOW64\vqssoglepddkl.exe N/A
N/A N/A C:\Windows\SysWOW64\vqssoglepddkl.exe N/A
N/A N/A C:\Windows\SysWOW64\vqssoglepddkl.exe N/A
N/A N/A C:\Windows\SysWOW64\vqssoglepddkl.exe N/A
N/A N/A C:\Windows\SysWOW64\vqssoglepddkl.exe N/A
N/A N/A C:\Windows\SysWOW64\vqssoglepddkl.exe N/A
N/A N/A C:\Windows\SysWOW64\vqssoglepddkl.exe N/A
N/A N/A C:\Windows\SysWOW64\vqssoglepddkl.exe N/A
N/A N/A C:\Windows\SysWOW64\vqssoglepddkl.exe N/A
N/A N/A C:\Windows\SysWOW64\vqssoglepddkl.exe N/A
N/A N/A C:\Windows\SysWOW64\vqssoglepddkl.exe N/A
N/A N/A C:\Windows\SysWOW64\vqssoglepddkl.exe N/A
N/A N/A C:\Windows\SysWOW64\ockacaabryqpnuw.exe N/A
N/A N/A C:\Windows\SysWOW64\ockacaabryqpnuw.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1912 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Windows\SysWOW64\gqrvcvfvws.exe
PID 1912 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Windows\SysWOW64\gqrvcvfvws.exe
PID 1912 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Windows\SysWOW64\gqrvcvfvws.exe
PID 1912 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Windows\SysWOW64\ockacaabryqpnuw.exe
PID 1912 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Windows\SysWOW64\ockacaabryqpnuw.exe
PID 1912 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Windows\SysWOW64\ockacaabryqpnuw.exe
PID 1912 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Windows\SysWOW64\nnkerwzo.exe
PID 1912 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Windows\SysWOW64\nnkerwzo.exe
PID 1912 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Windows\SysWOW64\nnkerwzo.exe
PID 1912 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Windows\SysWOW64\vqssoglepddkl.exe
PID 1912 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Windows\SysWOW64\vqssoglepddkl.exe
PID 1912 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Windows\SysWOW64\vqssoglepddkl.exe
PID 1912 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 1912 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2272 wrote to memory of 2648 N/A C:\Windows\SysWOW64\gqrvcvfvws.exe C:\Windows\SysWOW64\nnkerwzo.exe
PID 2272 wrote to memory of 2648 N/A C:\Windows\SysWOW64\gqrvcvfvws.exe C:\Windows\SysWOW64\nnkerwzo.exe
PID 2272 wrote to memory of 2648 N/A C:\Windows\SysWOW64\gqrvcvfvws.exe C:\Windows\SysWOW64\nnkerwzo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe

"C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe"

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\nnkerwzo.exe

C:\Windows\system32\nnkerwzo.exe

C:\Windows\SysWOW64\vqssoglepddkl.exe

vqssoglepddkl.exe

C:\Windows\SysWOW64\nnkerwzo.exe

nnkerwzo.exe

C:\Windows\SysWOW64\ockacaabryqpnuw.exe

ockacaabryqpnuw.exe

C:\Windows\SysWOW64\gqrvcvfvws.exe

gqrvcvfvws.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 80.179.17.96.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 38.242.123.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 207.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 46.179.17.96.in-addr.arpa udp
IE 20.223.35.26:443 tcp
IE 20.223.35.26:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 137.71.91.104.in-addr.arpa udp

Files

memory/1912-0-0x0000000000400000-0x0000000000496000-memory.dmp

memory/2056-35-0x00007FFA28890000-0x00007FFA288A0000-memory.dmp

memory/2056-40-0x00007FFA28890000-0x00007FFA288A0000-memory.dmp

memory/2056-43-0x00007FFA68810000-0x00007FFA68A05000-memory.dmp

memory/2056-47-0x00007FFA68810000-0x00007FFA68A05000-memory.dmp

memory/2056-50-0x00007FFA68810000-0x00007FFA68A05000-memory.dmp

memory/2056-54-0x00007FFA68810000-0x00007FFA68A05000-memory.dmp

memory/2056-56-0x00007FFA68810000-0x00007FFA68A05000-memory.dmp

memory/2056-57-0x00007FFA68810000-0x00007FFA68A05000-memory.dmp

memory/2056-59-0x00007FFA267A0000-0x00007FFA267B0000-memory.dmp

memory/2056-60-0x00007FFA68810000-0x00007FFA68A05000-memory.dmp

memory/2056-58-0x00007FFA68810000-0x00007FFA68A05000-memory.dmp

memory/2056-55-0x00007FFA68810000-0x00007FFA68A05000-memory.dmp

memory/2056-53-0x00007FFA267A0000-0x00007FFA267B0000-memory.dmp

memory/2056-52-0x00007FFA68810000-0x00007FFA68A05000-memory.dmp

memory/2056-51-0x00007FFA68810000-0x00007FFA68A05000-memory.dmp

memory/2056-49-0x00007FFA68810000-0x00007FFA68A05000-memory.dmp

memory/2056-48-0x00007FFA68810000-0x00007FFA68A05000-memory.dmp

memory/2056-45-0x00007FFA28890000-0x00007FFA288A0000-memory.dmp

memory/2056-46-0x00007FFA68810000-0x00007FFA68A05000-memory.dmp

memory/2056-44-0x00007FFA68810000-0x00007FFA68A05000-memory.dmp

memory/2056-42-0x00007FFA28890000-0x00007FFA288A0000-memory.dmp

memory/2056-41-0x00007FFA68810000-0x00007FFA68A05000-memory.dmp

memory/2056-37-0x00007FFA28890000-0x00007FFA288A0000-memory.dmp

memory/2056-36-0x00007FFA68810000-0x00007FFA68A05000-memory.dmp

C:\Windows\SysWOW64\gqrvcvfvws.exe

MD5 6662b185f19fbf697c56a25c92de7961
SHA1 0df0c0df0de3724258df2549c583e3c934aca726
SHA256 c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86
SHA512 c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f

C:\Windows\SysWOW64\ockacaabryqpnuw.exe

MD5 7fc6cf931da79ecd4267f22c6a1aefa8
SHA1 913682b9a75a4089cc18ec25b28e082916a6b314
SHA256 2672445b36639d26c7bcf277704d7f634ea7a6f4eac634027b98fb3f94062487
SHA512 272947751145ba29cbfecc6fe73cf5e20cf017c8c436a8af45198499e8b34c5f70215c3d5f21676a2a5de87616e85aa12b5cf0e263d57042e4221f7e12d81eaf

memory/2056-109-0x00007FFA68810000-0x00007FFA68A05000-memory.dmp

memory/2056-110-0x00007FFA68810000-0x00007FFA68A05000-memory.dmp

memory/2056-111-0x00007FFA68810000-0x00007FFA68A05000-memory.dmp

memory/2056-137-0x00007FFA68810000-0x00007FFA68A05000-memory.dmp

memory/2056-136-0x00007FFA28890000-0x00007FFA288A0000-memory.dmp

memory/2056-135-0x00007FFA28890000-0x00007FFA288A0000-memory.dmp

memory/2056-134-0x00007FFA28890000-0x00007FFA288A0000-memory.dmp

memory/2056-133-0x00007FFA28890000-0x00007FFA288A0000-memory.dmp