Malware Analysis Report

2025-08-05 17:02

Sample ID 240107-yazf6scffq
Target a316428effee4f96edee4b7601cfc78c.exe
SHA256 3c6d66ea64e12029bda1fa7c1f9432980342dff406af07f91c12156c4e27220b
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c6d66ea64e12029bda1fa7c1f9432980342dff406af07f91c12156c4e27220b

Threat Level: Known bad

The file a316428effee4f96edee4b7601cfc78c.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Windows security modification

Enumerates connected drives

Modifies WinLogon

Adds Run key to start application

Drops file in System32 directory

AutoIT Executable

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 19:35

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 19:35

Reported

2024-01-07 19:38

Platform

win10v2004-20231215-en

Max time kernel

3s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\xglufnyjap.exe N/A
N/A N/A C:\Windows\SysWOW64\caacrhhtiurqzhb.exe N/A
N/A N/A C:\Windows\SysWOW64\frflvhui.exe N/A
N/A N/A C:\Windows\SysWOW64\ttnebptsjdpvw.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ttnebptsjdpvw.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
File created C:\Windows\SysWOW64\xglufnyjap.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
File opened for modification C:\Windows\SysWOW64\xglufnyjap.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
File created C:\Windows\SysWOW64\caacrhhtiurqzhb.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
File opened for modification C:\Windows\SysWOW64\caacrhhtiurqzhb.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
File created C:\Windows\SysWOW64\frflvhui.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
File opened for modification C:\Windows\SysWOW64\frflvhui.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
File created C:\Windows\SysWOW64\ttnebptsjdpvw.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32322C7F9C2582236A4376A5772F2CAD7D8F65D9" C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDFACCF917F1E3840B3B3286EC3E95B0FD03F142110238E2C442E808A8" C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB6B028479339EE52C8BAA133E9D7CF" C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF5FC83482E856D9141D65C7E91BCEEE141594366476241D6EA" C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F76BC5FE6E21AED179D0A78B7D9110" C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC77415E5DBB3B8CD7FE4ECE234C7" C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 824 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Windows\SysWOW64\xglufnyjap.exe
PID 824 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Windows\SysWOW64\xglufnyjap.exe
PID 824 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Windows\SysWOW64\xglufnyjap.exe
PID 824 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Windows\SysWOW64\caacrhhtiurqzhb.exe
PID 824 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Windows\SysWOW64\caacrhhtiurqzhb.exe
PID 824 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Windows\SysWOW64\caacrhhtiurqzhb.exe
PID 824 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Windows\SysWOW64\frflvhui.exe
PID 824 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Windows\SysWOW64\frflvhui.exe
PID 824 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Windows\SysWOW64\frflvhui.exe
PID 824 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Windows\SysWOW64\ttnebptsjdpvw.exe
PID 824 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Windows\SysWOW64\ttnebptsjdpvw.exe
PID 824 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Windows\SysWOW64\ttnebptsjdpvw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe

"C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe"

C:\Windows\SysWOW64\frflvhui.exe

frflvhui.exe

C:\Windows\SysWOW64\ttnebptsjdpvw.exe

ttnebptsjdpvw.exe

C:\Windows\SysWOW64\caacrhhtiurqzhb.exe

caacrhhtiurqzhb.exe

C:\Windows\SysWOW64\xglufnyjap.exe

xglufnyjap.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\frflvhui.exe

C:\Windows\system32\frflvhui.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 11.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 23.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/824-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\caacrhhtiurqzhb.exe

MD5 c4954c3e34399ab695a33fc63c8dcddd
SHA1 d0599623fcffa3c8f3fdac433cdc31b41708a8bb
SHA256 e663ff56deaaf66bd7ec29eedae945fc243acea394a8c926b9f81b6ae66561e1
SHA512 b485ce384e71e320882bbc1c03459130bed231ed0c99a977a45183901a87ae0775d44884f481e43cc4a8d2f712e137fdfd8fba2839d1a321f0eb29dcf4495b9f

C:\Windows\SysWOW64\xglufnyjap.exe

MD5 4e0010bbd9d1ede0229431225d11b4c0
SHA1 3055bc9fc94f0accbc71b0fce6639d928989994f
SHA256 a59fa0a915002b316ee260d8bf62e49fbd5afae9c80922b28311d657dcf24b7a
SHA512 c60c6b398f54682130c2fc9010c304d9e35ed73155ae72c2ea42eebc2f62e5912a29c152cecf4ec6123b45aab4c98d7494b1e501a54011219ca5b8817e1c2ea9

C:\Windows\SysWOW64\ttnebptsjdpvw.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\caacrhhtiurqzhb.exe

MD5 ed1c60e9a7a92edcab339f7ee087e387
SHA1 88f8f6c911931da7e87f20ba56d19ccf2c015417
SHA256 ef9e1d6f16e23f8640444b0070a2f899eef71f15354263a7d8fb43451b8810b3
SHA512 2ecc0b336db1f9d6b3d4d6880980f27a8a4e9ce7eb25a12b095beb28075d793fc7667f06d7bc4512548393d0374885e8739514b96173aaefa44d7baf434f24a2

C:\Windows\SysWOW64\caacrhhtiurqzhb.exe

MD5 f290a0f000202d65c447c688e5b8e587
SHA1 d3d95890cdd64ceb97ebbce72516d012fcbb52b9
SHA256 a59c8cbb3b3f2884e1b8645cbd3be4d06f45559d7c34af095b88a8b0444f94d1
SHA512 a3b2f99680dac2b5f8acfc62adf1d068a3de8278501e9acb918f89ba2c21cd1340fb985f2a592198a36ca1a2c21f6c980850ec0c633d05b7327280e667d712ff

C:\Windows\SysWOW64\xglufnyjap.exe

MD5 37103ab666d76a6537f43f1b58610180
SHA1 6eecdfa4a77bb74c62f84bdaee4f1f753dc5157d
SHA256 1ce07688e89f9e830041ba37ca9d44a2b3e8f4d65b2a656cfe5a7d816e36d95f
SHA512 ac6c49dcaf59209302129765d9a5583b3ddbb0e9e95a4430e0c6532260481f0156551e364306aa661fa056421020c26cb26958d026868213ae2e5dbb0331c9a4

C:\Windows\SysWOW64\frflvhui.exe

MD5 b4aeec33bcb8b7c2a068b715d66bcbd9
SHA1 6f7ce51dd0077af2093d1534515af3685efbad7e
SHA256 372171bf4b7ffbe6a80b250c22e0fc33fb8e67fc45d1fb42da0cdfaac8fae984
SHA512 b5204500110ebbe1c63829eb8f301dab923dc355d41350c9c06439d170f7fee2e76f43e3e702dacac0de600fca93bb42c3505b8d298a227a7cde84091d4f65ba

memory/3036-39-0x00007FFF11150000-0x00007FFF11160000-memory.dmp

memory/3036-42-0x00007FFF11150000-0x00007FFF11160000-memory.dmp

memory/3036-43-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

memory/3036-44-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

memory/3036-45-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

memory/3036-47-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

memory/3036-48-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

memory/3036-51-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

memory/3036-52-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

memory/3036-53-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

memory/3036-54-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

memory/3036-56-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

memory/3036-57-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

memory/3036-55-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

memory/3036-50-0x00007FFF0EFF0000-0x00007FFF0F000000-memory.dmp

memory/3036-49-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

memory/3036-46-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

memory/3036-41-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

memory/3036-40-0x00007FFF11150000-0x00007FFF11160000-memory.dmp

memory/3036-38-0x00007FFF11150000-0x00007FFF11160000-memory.dmp

memory/3036-37-0x00007FFF11150000-0x00007FFF11160000-memory.dmp

memory/3036-58-0x00007FFF0EFF0000-0x00007FFF0F000000-memory.dmp

memory/3036-104-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 add1e2713483deb75c7f6fceaf4d3dcd
SHA1 24369b1ab5aaeb22033b7eebf7bfb33568f7f0ca
SHA256 1ca73d664453b42c8c7f7238787d41f8ae8c484eb3f429696a953be07a019a30
SHA512 f86776176c454202a045738ee4e80046fe10462371e91678679e14a5ee061b02454d37683b99cdd01bfb07b8e325504be03394caa20519b23e7df4a7dc0cf90c

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 ce87d1185f9e0d44ebfed1431c83c9ed
SHA1 11237f5a6d83facfb41da7e58c25a55f3ac2846e
SHA256 fbe6e76269aff274f56ef1a82ad5f5e9024fc46af718f56185cf9be3b43fc734
SHA512 7fa0c5e198c60863fa4c90ac39c795acd00dac6cefc84042110eee79a1d8cddda65e5752e2718f8e084f1acbc0565a6c59bf26470c7952c45ab37bf830336424

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 941b0cb20a8f245d97bb40d990f78281
SHA1 2d7a037cf08562148d9b7347a0e3e00d223f8d9d
SHA256 e42b962cdb2fcc8603dea723fa7780fd9f2c2ccbeae0f322c87989956a37b281
SHA512 868e35b594230ee604e6068381807a190b7a9c817dd4e202c681a1ec88712cab5118c392dfea957c4c03b391b55e9c8c1c38e2b96a7323b5e2b56a750ea87343

memory/3036-144-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

memory/3036-143-0x00007FFF11150000-0x00007FFF11160000-memory.dmp

memory/3036-142-0x00007FFF11150000-0x00007FFF11160000-memory.dmp

memory/3036-141-0x00007FFF11150000-0x00007FFF11160000-memory.dmp

memory/3036-140-0x00007FFF11150000-0x00007FFF11160000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 19:35

Reported

2024-01-07 19:38

Platform

win7-20231215-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\syyqeollnb.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\syyqeollnb.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\syyqeollnb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\syyqeollnb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\syyqeollnb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\syyqeollnb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\syyqeollnb.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\syyqeollnb.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\syyqeollnb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\syyqeollnb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\syyqeollnb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\syyqeollnb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\syyqeollnb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\syyqeollnb.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\izjsnlwq = "syyqeollnb.exe" C:\Windows\SysWOW64\updnnhixkqehzuw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ilnsdbjw = "updnnhixkqehzuw.exe" C:\Windows\SysWOW64\updnnhixkqehzuw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mhnrnvuftqamu.exe" C:\Windows\SysWOW64\updnnhixkqehzuw.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\o: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\syyqeollnb.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\syyqeollnb.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\syyqeollnb.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\syyqeollnb.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\syyqeollnb.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\syyqeollnb.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\syyqeollnb.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\syyqeollnb.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\syyqeollnb.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\syyqeollnb.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\syyqeollnb.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\syyqeollnb.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\syyqeollnb.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\syyqeollnb.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\syyqeollnb.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\syyqeollnb.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\syyqeollnb.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\syyqeollnb.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\syyqeollnb.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\syyqeollnb.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\syyqeollnb.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\syyqeollnb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\syyqeollnb.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\oxdqizle.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
File opened for modification C:\Windows\SysWOW64\syyqeollnb.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
File created C:\Windows\SysWOW64\updnnhixkqehzuw.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
File opened for modification C:\Windows\SysWOW64\updnnhixkqehzuw.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
File opened for modification C:\Windows\SysWOW64\mhnrnvuftqamu.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\syyqeollnb.exe N/A
File created C:\Windows\SysWOW64\syyqeollnb.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
File created C:\Windows\SysWOW64\oxdqizle.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
File created C:\Windows\SysWOW64\mhnrnvuftqamu.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\PopResume.doc.exe C:\Windows\SysWOW64\oxdqizle.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened for modification \??\c:\Program Files\PopResume.doc.exe C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened for modification C:\Program Files\PopResume.doc.exe C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\oxdqizle.exe N/A
File created \??\c:\Program Files\PopResume.doc.exe C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened for modification C:\Program Files\PopResume.doc.exe C:\Windows\SysWOW64\oxdqizle.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened for modification C:\Program Files\PopResume.nal C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened for modification C:\Program Files\PopResume.nal C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\oxdqizle.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\oxdqizle.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\oxdqizle.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFCFF8F482E82139136D6217E90BD92E636584667466333D691" C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\syyqeollnb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B05B479538E353BEB9A73299D7B8" C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\syyqeollnb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\syyqeollnb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\syyqeollnb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78168C6FE6E22DBD27ED0A28B7E906B" C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\syyqeollnb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe N/A
N/A N/A C:\Windows\SysWOW64\updnnhixkqehzuw.exe N/A
N/A N/A C:\Windows\SysWOW64\updnnhixkqehzuw.exe N/A
N/A N/A C:\Windows\SysWOW64\updnnhixkqehzuw.exe N/A
N/A N/A C:\Windows\SysWOW64\updnnhixkqehzuw.exe N/A
N/A N/A C:\Windows\SysWOW64\updnnhixkqehzuw.exe N/A
N/A N/A C:\Windows\SysWOW64\syyqeollnb.exe N/A
N/A N/A C:\Windows\SysWOW64\syyqeollnb.exe N/A
N/A N/A C:\Windows\SysWOW64\syyqeollnb.exe N/A
N/A N/A C:\Windows\SysWOW64\syyqeollnb.exe N/A
N/A N/A C:\Windows\SysWOW64\syyqeollnb.exe N/A
N/A N/A C:\Windows\SysWOW64\oxdqizle.exe N/A
N/A N/A C:\Windows\SysWOW64\oxdqizle.exe N/A
N/A N/A C:\Windows\SysWOW64\oxdqizle.exe N/A
N/A N/A C:\Windows\SysWOW64\oxdqizle.exe N/A
N/A N/A C:\Windows\SysWOW64\mhnrnvuftqamu.exe N/A
N/A N/A C:\Windows\SysWOW64\mhnrnvuftqamu.exe N/A
N/A N/A C:\Windows\SysWOW64\mhnrnvuftqamu.exe N/A
N/A N/A C:\Windows\SysWOW64\mhnrnvuftqamu.exe N/A
N/A N/A C:\Windows\SysWOW64\mhnrnvuftqamu.exe N/A
N/A N/A C:\Windows\SysWOW64\mhnrnvuftqamu.exe N/A
N/A N/A C:\Windows\SysWOW64\updnnhixkqehzuw.exe N/A
N/A N/A C:\Windows\SysWOW64\oxdqizle.exe N/A
N/A N/A C:\Windows\SysWOW64\oxdqizle.exe N/A
N/A N/A C:\Windows\SysWOW64\oxdqizle.exe N/A
N/A N/A C:\Windows\SysWOW64\oxdqizle.exe N/A
N/A N/A C:\Windows\SysWOW64\updnnhixkqehzuw.exe N/A
N/A N/A C:\Windows\SysWOW64\mhnrnvuftqamu.exe N/A
N/A N/A C:\Windows\SysWOW64\mhnrnvuftqamu.exe N/A
N/A N/A C:\Windows\SysWOW64\updnnhixkqehzuw.exe N/A
N/A N/A C:\Windows\SysWOW64\mhnrnvuftqamu.exe N/A
N/A N/A C:\Windows\SysWOW64\mhnrnvuftqamu.exe N/A
N/A N/A C:\Windows\SysWOW64\updnnhixkqehzuw.exe N/A
N/A N/A C:\Windows\SysWOW64\mhnrnvuftqamu.exe N/A
N/A N/A C:\Windows\SysWOW64\mhnrnvuftqamu.exe N/A
N/A N/A C:\Windows\SysWOW64\updnnhixkqehzuw.exe N/A
N/A N/A C:\Windows\SysWOW64\mhnrnvuftqamu.exe N/A
N/A N/A C:\Windows\SysWOW64\mhnrnvuftqamu.exe N/A
N/A N/A C:\Windows\SysWOW64\updnnhixkqehzuw.exe N/A
N/A N/A C:\Windows\SysWOW64\mhnrnvuftqamu.exe N/A
N/A N/A C:\Windows\SysWOW64\mhnrnvuftqamu.exe N/A
N/A N/A C:\Windows\SysWOW64\updnnhixkqehzuw.exe N/A
N/A N/A C:\Windows\SysWOW64\mhnrnvuftqamu.exe N/A
N/A N/A C:\Windows\SysWOW64\mhnrnvuftqamu.exe N/A
N/A N/A C:\Windows\SysWOW64\updnnhixkqehzuw.exe N/A
N/A N/A C:\Windows\SysWOW64\mhnrnvuftqamu.exe N/A
N/A N/A C:\Windows\SysWOW64\mhnrnvuftqamu.exe N/A
N/A N/A C:\Windows\SysWOW64\updnnhixkqehzuw.exe N/A
N/A N/A C:\Windows\SysWOW64\mhnrnvuftqamu.exe N/A
N/A N/A C:\Windows\SysWOW64\mhnrnvuftqamu.exe N/A
N/A N/A C:\Windows\SysWOW64\updnnhixkqehzuw.exe N/A
N/A N/A C:\Windows\SysWOW64\mhnrnvuftqamu.exe N/A
N/A N/A C:\Windows\SysWOW64\mhnrnvuftqamu.exe N/A
N/A N/A C:\Windows\SysWOW64\updnnhixkqehzuw.exe N/A
N/A N/A C:\Windows\SysWOW64\mhnrnvuftqamu.exe N/A
N/A N/A C:\Windows\SysWOW64\mhnrnvuftqamu.exe N/A
N/A N/A C:\Windows\SysWOW64\updnnhixkqehzuw.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Windows\SysWOW64\syyqeollnb.exe
PID 3036 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Windows\SysWOW64\syyqeollnb.exe
PID 3036 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Windows\SysWOW64\syyqeollnb.exe
PID 3036 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Windows\SysWOW64\syyqeollnb.exe
PID 3036 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Windows\SysWOW64\updnnhixkqehzuw.exe
PID 3036 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Windows\SysWOW64\updnnhixkqehzuw.exe
PID 3036 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Windows\SysWOW64\updnnhixkqehzuw.exe
PID 3036 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Windows\SysWOW64\updnnhixkqehzuw.exe
PID 3036 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Windows\SysWOW64\oxdqizle.exe
PID 3036 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Windows\SysWOW64\oxdqizle.exe
PID 3036 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Windows\SysWOW64\oxdqizle.exe
PID 3036 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Windows\SysWOW64\oxdqizle.exe
PID 3036 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Windows\SysWOW64\mhnrnvuftqamu.exe
PID 3036 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Windows\SysWOW64\mhnrnvuftqamu.exe
PID 3036 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Windows\SysWOW64\mhnrnvuftqamu.exe
PID 3036 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Windows\SysWOW64\mhnrnvuftqamu.exe
PID 1896 wrote to memory of 2612 N/A C:\Windows\SysWOW64\syyqeollnb.exe C:\Windows\SysWOW64\oxdqizle.exe
PID 1896 wrote to memory of 2612 N/A C:\Windows\SysWOW64\syyqeollnb.exe C:\Windows\SysWOW64\oxdqizle.exe
PID 1896 wrote to memory of 2612 N/A C:\Windows\SysWOW64\syyqeollnb.exe C:\Windows\SysWOW64\oxdqizle.exe
PID 1896 wrote to memory of 2612 N/A C:\Windows\SysWOW64\syyqeollnb.exe C:\Windows\SysWOW64\oxdqizle.exe
PID 3036 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 3036 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 3036 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 3036 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2632 wrote to memory of 948 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2632 wrote to memory of 948 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2632 wrote to memory of 948 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2632 wrote to memory of 948 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe

"C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe"

C:\Windows\SysWOW64\syyqeollnb.exe

syyqeollnb.exe

C:\Windows\SysWOW64\updnnhixkqehzuw.exe

updnnhixkqehzuw.exe

C:\Windows\SysWOW64\oxdqizle.exe

oxdqizle.exe

C:\Windows\SysWOW64\mhnrnvuftqamu.exe

mhnrnvuftqamu.exe

C:\Windows\SysWOW64\oxdqizle.exe

C:\Windows\system32\oxdqizle.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/3036-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\updnnhixkqehzuw.exe

MD5 d3cc351bf7c1d0278b1ef146a7d58ae7
SHA1 4ccc439b667342ed9be62f991724cc0d60306461
SHA256 1581bd26b3e6bee44f547f6434fa9137823efd2f293003b76bcaecd5c86ad46c
SHA512 7ee481f6879e92c05b332e602cf84e7cc3e69f97edc1012fc250d52712ea010137549d5c3f2fa029c39dce5f0e431e533d7ffefd7056e3e2ba4f3e4b38cd50bf

\Windows\SysWOW64\syyqeollnb.exe

MD5 85945b0abfe2de8d68e3ddc4ef1dd186
SHA1 b3900e53949cf7612fa2d41fc6b74bb5d16e23e8
SHA256 0093b4d3fe40773305a21ee1e87d3b77cfddb7fcb8d6e269255363a446b8f447
SHA512 28279e5965ff502bf665e432f655f1849433e7ef33b8d6daad42bce4e108728b8ba12ecfe6e867c7acd04756f24399e42aafbd5103f0568d4fc4cef620f311fc

\Windows\SysWOW64\oxdqizle.exe

MD5 9adb195379d7dd0d65fc598f95d64298
SHA1 e77aba8a5806eeb421e10db646a1306f948f2ffd
SHA256 6d9c3cc1e2f0c6c4979ff737108757cdb5e6a5d8220ff9dbaa66056f5d2a9c47
SHA512 344653f107b35e2142ee730832e6d2b8a46e20273a3840b47b4df3b183254f640058db72b893968c8d534fd8a94bbbbd966f56cd9e76097fac6297c65adcf9ff

C:\Windows\SysWOW64\mhnrnvuftqamu.exe

MD5 e23639df01edc17bd2e23a971d69fbda
SHA1 dbfdb7da706d1d6a8d63153ce9876f4c76427232
SHA256 3172de7c60ab089ba863ba2e8d8d6e5a7af1380e62e81ffeb4fe985e5e387062
SHA512 fa6ab0de0b663a913daac878734ef14b438d2a2ead52cd96b1b2b49232a466a50747021bfef0c7784aa587838345de4f829e89fdd245bf3426917a1f0438bb11

memory/2632-45-0x000000002F221000-0x000000002F222000-memory.dmp

memory/2632-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2632-47-0x000000007174D000-0x0000000071758000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files\PopResume.doc.exe

MD5 67ce2644f7d02067781481845dd8485d
SHA1 4bd94b0dc0807fe13ed06d87f5f380f75f922499
SHA256 bd3663ce56caccc943c9292c229fb0cfd1c41d3b1342b51c6e9f95900535802c
SHA512 1f0ec971fd3d0af81ea78a95e8446b55880795d8d7c8d18f82060a9e3d5674e7d69ce45454273250aa7d5553f5aafabb5f07e8c1b66cd927ef473c457bb2b8c8

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 5421cb1cbba708b4ea0c07a64e19ffed
SHA1 9667419b526c83905b2456a5cc3b17cb320ba48c
SHA256 d3ff18b4c4808393aaed293e30733cb03eab694e34439d82e77b5cc9e9c16cad
SHA512 f89a18405de14bb7d0da267798935e952f29d6161e007c7f298976e9099ab72217eeca283032818d8cf764efe4bc1c9e86c722b1c192e5050fff5e1f8e1d075d

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 76b2b48ca7386541913cb09032ed094c
SHA1 8715eef910b176a38aa28d0167036de1db2b8403
SHA256 5f2e2d646117cef3e0e9bba81bcec70dbdf5949ee39917c33e757e17aec1c8d2
SHA512 b07064bf06752f29b336667c3e435a4a6581a41f5f75752a8e25b025d5ce5932c6578c092722c44725ca06f27cade88a142081d64866bc77a108f73cbe96d2d6

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 8b7ab9961e195817d244f13840e4c09d
SHA1 65cc55878abadf97c3d32287d8d645b7e2e1be2f
SHA256 a70754e9b82ab768874e95909440f87e5775cd052d94d527aaabd45183d9c762
SHA512 887fbc4b3c6242ffe3dba4fc84b6aea6a8c570fc42ac569a578c7a6d59a557e2ff067a45abd5035ede0e10653faec57a0fd3d7cf504534aa05120d547bb4d03e

C:\Users\Admin\Documents\SkipSubmit.doc.exe

MD5 27e7bf1641743047a1113949abe86119
SHA1 99a3d9ba436e50f11c542b25b2c50b4115c129e9
SHA256 0cd2522f05dbb1a463e9401ad22363713ece2cca326dbb12676165f821e7965d
SHA512 e5c78113bfd3ae4788c3c9b2bc0e20b9938f0e0e166067ab790630fef6bef339dbdc6fb83a40d45517b19af9b4af53141733182be45162e3cd9f6f8f846dd9a4

memory/2632-97-0x000000007174D000-0x0000000071758000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 866f2fefced5bcdc28f69dd3fb23ba9c
SHA1 9d21cddc0bf3b25d4014210265f1f3af06865e89
SHA256 4c8e4ed9a02a470bff9e5b3ec29497be2011db16c0be96ed72e24fe0dcd07609
SHA512 bbddbb6ae3ab54f1ff2a8b419b0ae448a8d37f3d559d2afbde45b5d37e1ee50391b14707d7a2cfab20365df68e15516d4628e8ac3c4d736d1c1965a54c53b073

memory/2632-118-0x000000005FFF0000-0x0000000060000000-memory.dmp