7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f

Analysis

max time kernel
154s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/10/2022, 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
Size

42KB
MD5

44eb3d88f54f445d6896f99d23c055a9
SHA1

4076dc5fff3f965a02e505dad1217cbba5717a7e
SHA256

7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f
SHA512

39b976bad403e2a1454d8273791e39533e91ef80753e0c2b5f41cef33e18f3d2d1c164077e9338b7c88cfd528cc00a390fc2f337a603a8f7959ba80bdde34037
SSDEEP

768:gSz0/XBwayCUOwV3TNZHdrPeqzEWvpbPwSMX6+w6pqZxLdeVgol9D8888888888l:BzOCay4wV339rPjzbpLwRJ9pSdoII

Score

10^/10

aspackv2 evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	CTFMON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	CTFMON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	SVCHOST.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	CTFMON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SPOOLSV.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	CTFMON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE

ASPack v2.12-2.42 33 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0006000000014bad-57.dat	aspack_v212_v242
behavioral1/files/0x0006000000014bad-58.dat	aspack_v212_v242
behavioral1/files/0x0006000000014bad-60.dat	aspack_v212_v242
behavioral1/files/0x0006000000015329-65.dat	aspack_v212_v242
behavioral1/files/0x0006000000014bad-64.dat	aspack_v212_v242
behavioral1/files/0x0006000000014bad-68.dat	aspack_v212_v242
behavioral1/files/0x0006000000014c95-72.dat	aspack_v212_v242
behavioral1/files/0x0006000000014c95-73.dat	aspack_v212_v242
behavioral1/files/0x0006000000014c95-74.dat	aspack_v212_v242
behavioral1/files/0x0006000000014c95-76.dat	aspack_v212_v242
behavioral1/files/0x0006000000015329-80.dat	aspack_v212_v242
behavioral1/files/0x0006000000014bad-82.dat	aspack_v212_v242
behavioral1/files/0x0006000000014bad-84.dat	aspack_v212_v242
behavioral1/files/0x0006000000014c95-87.dat	aspack_v212_v242
behavioral1/files/0x0006000000014c95-90.dat	aspack_v212_v242
behavioral1/files/0x0006000000014f93-100.dat	aspack_v212_v242
behavioral1/files/0x0006000000014f93-97.dat	aspack_v212_v242
behavioral1/files/0x0006000000014f93-95.dat	aspack_v212_v242
behavioral1/files/0x0006000000014f93-96.dat	aspack_v212_v242
behavioral1/files/0x0006000000015329-107.dat	aspack_v212_v242
behavioral1/files/0x0006000000014bad-109.dat	aspack_v212_v242
behavioral1/files/0x0006000000014bad-111.dat	aspack_v212_v242
behavioral1/files/0x0006000000014c95-114.dat	aspack_v212_v242
behavioral1/files/0x0006000000014c95-116.dat	aspack_v212_v242
behavioral1/files/0x0006000000014c95-118.dat	aspack_v212_v242
behavioral1/files/0x0006000000014f93-122.dat	aspack_v212_v242
behavioral1/files/0x0006000000014f93-129.dat	aspack_v212_v242
behavioral1/files/0x0006000000014f93-131.dat	aspack_v212_v242
behavioral1/files/0x0006000000014c95-137.dat	aspack_v212_v242
behavioral1/files/0x0006000000014c95-138.dat	aspack_v212_v242
behavioral1/files/0x0006000000014c95-140.dat	aspack_v212_v242
behavioral1/files/0x0006000000014f93-145.dat	aspack_v212_v242
behavioral1/files/0x0006000000014f93-148.dat	aspack_v212_v242

Executes dropped EXE 12 IoCs

pid	Process
1280	SVCHOST.EXE
1480	SVCHOST.EXE
984	SPOOLSV.EXE
648	SVCHOST.EXE
1692	SPOOLSV.EXE
1816	CTFMON.EXE
1528	SVCHOST.EXE
1652	SPOOLSV.EXE
1192	CTFMON.EXE
1944	CTFMON.EXE
1228	SPOOLSV.EXE
1100	CTFMON.EXE

Loads dropped DLL 15 IoCs

pid	Process
1448	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
1448	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
1280	SVCHOST.EXE
1280	SVCHOST.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
1816	CTFMON.EXE
1816	CTFMON.EXE
1816	CTFMON.EXE
1280	SVCHOST.EXE
1448	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
1448	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
1448	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Recycled\desktop.ini	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	CTFMON.EXE
File opened (read-only)	\??\R:	CTFMON.EXE
File opened (read-only)	\??\G:	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
File opened (read-only)	\??\N:	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
File opened (read-only)	\??\P:	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
File opened (read-only)	\??\W:	SVCHOST.EXE
File opened (read-only)	\??\F:	SPOOLSV.EXE
File opened (read-only)	\??\K:	CTFMON.EXE
File opened (read-only)	\??\Y:	SPOOLSV.EXE
File opened (read-only)	\??\E:	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
File opened (read-only)	\??\Z:	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
File opened (read-only)	\??\E:	SVCHOST.EXE
File opened (read-only)	\??\R:	SVCHOST.EXE
File opened (read-only)	\??\Z:	SVCHOST.EXE
File opened (read-only)	\??\T:	SPOOLSV.EXE
File opened (read-only)	\??\V:	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
File opened (read-only)	\??\H:	CTFMON.EXE
File opened (read-only)	\??\T:	CTFMON.EXE
File opened (read-only)	\??\N:	CTFMON.EXE
File opened (read-only)	\??\H:	SVCHOST.EXE
File opened (read-only)	\??\K:	SVCHOST.EXE
File opened (read-only)	\??\G:	SPOOLSV.EXE
File opened (read-only)	\??\N:	SPOOLSV.EXE
File opened (read-only)	\??\S:	SPOOLSV.EXE
File opened (read-only)	\??\J:	CTFMON.EXE
File opened (read-only)	\??\U:	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
File opened (read-only)	\??\F:	SVCHOST.EXE
File opened (read-only)	\??\S:	SVCHOST.EXE
File opened (read-only)	\??\Q:	SPOOLSV.EXE
File opened (read-only)	\??\W:	CTFMON.EXE
File opened (read-only)	\??\N:	SVCHOST.EXE
File opened (read-only)	\??\Q:	SVCHOST.EXE
File opened (read-only)	\??\F:	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
File opened (read-only)	\??\X:	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\F:	CTFMON.EXE
File opened (read-only)	\??\I:	CTFMON.EXE
File opened (read-only)	\??\I:	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
File opened (read-only)	\??\T:	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
File opened (read-only)	\??\W:	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
File opened (read-only)	\??\P:	SPOOLSV.EXE
File opened (read-only)	\??\R:	SPOOLSV.EXE
File opened (read-only)	\??\V:	SPOOLSV.EXE
File opened (read-only)	\??\U:	CTFMON.EXE
File opened (read-only)	\??\I:	SVCHOST.EXE
File opened (read-only)	\??\I:	SPOOLSV.EXE
File opened (read-only)	\??\J:	SPOOLSV.EXE
File opened (read-only)	\??\G:	CTFMON.EXE
File opened (read-only)	\??\S:	CTFMON.EXE
File opened (read-only)	\??\Z:	CTFMON.EXE
File opened (read-only)	\??\L:	SPOOLSV.EXE
File opened (read-only)	\??\M:	SPOOLSV.EXE
File opened (read-only)	\??\P:	CTFMON.EXE
File opened (read-only)	\??\L:	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
File opened (read-only)	\??\M:	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
File opened (read-only)	\??\O:	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\E:	SPOOLSV.EXE
File opened (read-only)	\??\H:	SPOOLSV.EXE
File opened (read-only)	\??\X:	CTFMON.EXE
File opened (read-only)	\??\U:	SVCHOST.EXE
File opened (read-only)	\??\J:	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
File opened (read-only)	\??\L:	SVCHOST.EXE
File opened (read-only)	\??\Y:	SVCHOST.EXE

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\ Explorer.exe	CTFMON.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\Fonts\ Explorer.exe	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
File opened for modification	C:\Windows\Fonts\ Explorer.exe	SVCHOST.EXE
File opened for modification	C:\Windows\Fonts\ Explorer.exe	SPOOLSV.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SVCHOST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SPOOLSV.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SVCHOST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SPOOLSV.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1616	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1816	CTFMON.EXE
984	SPOOLSV.EXE
1816	CTFMON.EXE
984	SPOOLSV.EXE
1816	CTFMON.EXE
984	SPOOLSV.EXE
1816	CTFMON.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
1280	SVCHOST.EXE
1280	SVCHOST.EXE
1280	SVCHOST.EXE
1280	SVCHOST.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
984	SPOOLSV.EXE
1816	CTFMON.EXE
1816	CTFMON.EXE
1816	CTFMON.EXE
1816	CTFMON.EXE
1816	CTFMON.EXE
984	SPOOLSV.EXE
1280	SVCHOST.EXE
1816	CTFMON.EXE
1816	CTFMON.EXE
984	SPOOLSV.EXE
1280	SVCHOST.EXE
1816	CTFMON.EXE
984	SPOOLSV.EXE
1280	SVCHOST.EXE
984	SPOOLSV.EXE
1280	SVCHOST.EXE
1816	CTFMON.EXE
984	SPOOLSV.EXE
1280	SVCHOST.EXE
1816	CTFMON.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1616	WINWORD.EXE
1616	WINWORD.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1448	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
1280	SVCHOST.EXE
1480	SVCHOST.EXE
984	SPOOLSV.EXE
648	SVCHOST.EXE
1692	SPOOLSV.EXE
1816	CTFMON.EXE
1528	SVCHOST.EXE
1652	SPOOLSV.EXE
1192	CTFMON.EXE
1944	CTFMON.EXE
1228	SPOOLSV.EXE
1100	CTFMON.EXE
1616	WINWORD.EXE
1616	WINWORD.EXE

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 1280	1448	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe	27
PID 1448 wrote to memory of 1280	1448	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe	27
PID 1448 wrote to memory of 1280	1448	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe	27
PID 1448 wrote to memory of 1280	1448	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe	27
PID 1280 wrote to memory of 1480	1280	SVCHOST.EXE	28
PID 1280 wrote to memory of 1480	1280	SVCHOST.EXE	28
PID 1280 wrote to memory of 1480	1280	SVCHOST.EXE	28
PID 1280 wrote to memory of 1480	1280	SVCHOST.EXE	28
PID 1280 wrote to memory of 984	1280	SVCHOST.EXE	29
PID 1280 wrote to memory of 984	1280	SVCHOST.EXE	29
PID 1280 wrote to memory of 984	1280	SVCHOST.EXE	29
PID 1280 wrote to memory of 984	1280	SVCHOST.EXE	29
PID 984 wrote to memory of 648	984	SPOOLSV.EXE	30
PID 984 wrote to memory of 648	984	SPOOLSV.EXE	30
PID 984 wrote to memory of 648	984	SPOOLSV.EXE	30
PID 984 wrote to memory of 648	984	SPOOLSV.EXE	30
PID 984 wrote to memory of 1692	984	SPOOLSV.EXE	31
PID 984 wrote to memory of 1692	984	SPOOLSV.EXE	31
PID 984 wrote to memory of 1692	984	SPOOLSV.EXE	31
PID 984 wrote to memory of 1692	984	SPOOLSV.EXE	31
PID 984 wrote to memory of 1816	984	SPOOLSV.EXE	32
PID 984 wrote to memory of 1816	984	SPOOLSV.EXE	32
PID 984 wrote to memory of 1816	984	SPOOLSV.EXE	32
PID 984 wrote to memory of 1816	984	SPOOLSV.EXE	32
PID 1816 wrote to memory of 1528	1816	CTFMON.EXE	33
PID 1816 wrote to memory of 1528	1816	CTFMON.EXE	33
PID 1816 wrote to memory of 1528	1816	CTFMON.EXE	33
PID 1816 wrote to memory of 1528	1816	CTFMON.EXE	33
PID 1816 wrote to memory of 1652	1816	CTFMON.EXE	34
PID 1816 wrote to memory of 1652	1816	CTFMON.EXE	34
PID 1816 wrote to memory of 1652	1816	CTFMON.EXE	34
PID 1816 wrote to memory of 1652	1816	CTFMON.EXE	34
PID 1816 wrote to memory of 1192	1816	CTFMON.EXE	35
PID 1816 wrote to memory of 1192	1816	CTFMON.EXE	35
PID 1816 wrote to memory of 1192	1816	CTFMON.EXE	35
PID 1816 wrote to memory of 1192	1816	CTFMON.EXE	35
PID 1280 wrote to memory of 1944	1280	SVCHOST.EXE	36
PID 1280 wrote to memory of 1944	1280	SVCHOST.EXE	36
PID 1280 wrote to memory of 1944	1280	SVCHOST.EXE	36
PID 1280 wrote to memory of 1944	1280	SVCHOST.EXE	36
PID 1448 wrote to memory of 1228	1448	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe	37
PID 1448 wrote to memory of 1228	1448	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe	37
PID 1448 wrote to memory of 1228	1448	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe	37
PID 1448 wrote to memory of 1228	1448	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe	37
PID 1448 wrote to memory of 1100	1448	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe	38
PID 1448 wrote to memory of 1100	1448	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe	38
PID 1448 wrote to memory of 1100	1448	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe	38
PID 1448 wrote to memory of 1100	1448	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe	38
PID 1448 wrote to memory of 1616	1448	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe	39
PID 1448 wrote to memory of 1616	1448	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe	39
PID 1448 wrote to memory of 1616	1448	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe	39
PID 1448 wrote to memory of 1616	1448	7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe	39

C:\Users\Admin\AppData\Local\Temp\7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe
"C:\Users\Admin\AppData\Local\Temp\7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448
- C:\recycled\SVCHOST.EXE
  C:\recycled\SVCHOST.EXE :agent
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\recycled\SVCHOST.EXE
    C:\recycled\SVCHOST.EXE :agent
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1480
- - C:\recycled\SPOOLSV.EXE
    C:\recycled\SPOOLSV.EXE :agent
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:984
  - - C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:648
  - - C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1692
  - - C:\recycled\CTFMON.EXE
      C:\recycled\CTFMON.EXE :agent
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1816
    - - C:\recycled\SVCHOST.EXE
        
        C:\recycled\SVCHOST.EXE :agent
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1528
    - - C:\recycled\SPOOLSV.EXE
        
        C:\recycled\SPOOLSV.EXE :agent
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1652
    - - C:\recycled\CTFMON.EXE
        
        C:\recycled\CTFMON.EXE :agent
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1192
- - C:\recycled\CTFMON.EXE
    C:\recycled\CTFMON.EXE :agent
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1944
- C:\recycled\SPOOLSV.EXE
  C:\recycled\SPOOLSV.EXE :agent
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1228
- C:\recycled\CTFMON.EXE
  C:\recycled\CTFMON.EXE :agent
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1100
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7909d52b9e1870b13daa6435015b52c8a87f9c646c67d0dd9efbdf1e34dda90f.doc"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recycled\CTFMON.EXE

Filesize
42KB

MD5
95d7b426abee9540c6d7dec340e69408

SHA1
8cc1df66a1617c08826d31db767d9cf3394d2386

SHA256
c3454069475ea0f4831da03b6fd7c4086c3c64726f0dc79ba7d8772f48009aeb

SHA512
5c13b595d8c725bd5455ac6c9d6806eecab88f69a6ee563456bdfb65feb8fa59dda47c44fc734b8c6bc5fd7c3a87e1dbc57337bbe82319de1425b2ec023118b1

Download Submit
C:\Recycled\CTFMON.EXE

Filesize
42KB

MD5
95d7b426abee9540c6d7dec340e69408

SHA1
8cc1df66a1617c08826d31db767d9cf3394d2386

SHA256
c3454069475ea0f4831da03b6fd7c4086c3c64726f0dc79ba7d8772f48009aeb

SHA512
5c13b595d8c725bd5455ac6c9d6806eecab88f69a6ee563456bdfb65feb8fa59dda47c44fc734b8c6bc5fd7c3a87e1dbc57337bbe82319de1425b2ec023118b1

Download Submit
C:\Recycled\CTFMON.EXE

Filesize
42KB

MD5
95d7b426abee9540c6d7dec340e69408

SHA1
8cc1df66a1617c08826d31db767d9cf3394d2386

SHA256
c3454069475ea0f4831da03b6fd7c4086c3c64726f0dc79ba7d8772f48009aeb

SHA512
5c13b595d8c725bd5455ac6c9d6806eecab88f69a6ee563456bdfb65feb8fa59dda47c44fc734b8c6bc5fd7c3a87e1dbc57337bbe82319de1425b2ec023118b1

Download Submit
C:\Recycled\CTFMON.EXE

Filesize
42KB

MD5
95d7b426abee9540c6d7dec340e69408

SHA1
8cc1df66a1617c08826d31db767d9cf3394d2386

SHA256
c3454069475ea0f4831da03b6fd7c4086c3c64726f0dc79ba7d8772f48009aeb

SHA512
5c13b595d8c725bd5455ac6c9d6806eecab88f69a6ee563456bdfb65feb8fa59dda47c44fc734b8c6bc5fd7c3a87e1dbc57337bbe82319de1425b2ec023118b1

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
474afda8085bb87a627fd1d82bd6d03b

SHA1
3f4a588d2b351eb47705db32a0ea10de975121f8

SHA256
ae1ae763ba897d9be07d1ae9f1ebd07c7343bf5d334c1b3144ef0b5a1336e248

SHA512
32b50b9dcc9715ffca660e6315bdf63a6907c0e73deafd1b7e5c6bc372b405bc0bf5de0b1f37eefe40d6f3a96471a6b4b4e0961c6ca7c8c7e8e13da33f135eed

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
474afda8085bb87a627fd1d82bd6d03b

SHA1
3f4a588d2b351eb47705db32a0ea10de975121f8

SHA256
ae1ae763ba897d9be07d1ae9f1ebd07c7343bf5d334c1b3144ef0b5a1336e248

SHA512
32b50b9dcc9715ffca660e6315bdf63a6907c0e73deafd1b7e5c6bc372b405bc0bf5de0b1f37eefe40d6f3a96471a6b4b4e0961c6ca7c8c7e8e13da33f135eed

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
474afda8085bb87a627fd1d82bd6d03b

SHA1
3f4a588d2b351eb47705db32a0ea10de975121f8

SHA256
ae1ae763ba897d9be07d1ae9f1ebd07c7343bf5d334c1b3144ef0b5a1336e248

SHA512
32b50b9dcc9715ffca660e6315bdf63a6907c0e73deafd1b7e5c6bc372b405bc0bf5de0b1f37eefe40d6f3a96471a6b4b4e0961c6ca7c8c7e8e13da33f135eed

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
474afda8085bb87a627fd1d82bd6d03b

SHA1
3f4a588d2b351eb47705db32a0ea10de975121f8

SHA256
ae1ae763ba897d9be07d1ae9f1ebd07c7343bf5d334c1b3144ef0b5a1336e248

SHA512
32b50b9dcc9715ffca660e6315bdf63a6907c0e73deafd1b7e5c6bc372b405bc0bf5de0b1f37eefe40d6f3a96471a6b4b4e0961c6ca7c8c7e8e13da33f135eed

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
42KB

MD5
8d1ed4b2d2e4a5814991d765e7478fc3

SHA1
b22ab3fe0ca83d9f9dc78a6b3210ef416b050120

SHA256
164ec7bd7720a1194e7879920739c610f05e586d84217dffc7352c36d58998ab

SHA512
a50e00e579bbfa8a062e541b1b624fea3ccdedc7c8e9f178a3fb72e93bd9903da1d0e36f9be821e13454fbfe0511fbd8b3ec2c2fce06b5300299127aeca941a2

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
42KB

MD5
8d1ed4b2d2e4a5814991d765e7478fc3

SHA1
b22ab3fe0ca83d9f9dc78a6b3210ef416b050120

SHA256
164ec7bd7720a1194e7879920739c610f05e586d84217dffc7352c36d58998ab

SHA512
a50e00e579bbfa8a062e541b1b624fea3ccdedc7c8e9f178a3fb72e93bd9903da1d0e36f9be821e13454fbfe0511fbd8b3ec2c2fce06b5300299127aeca941a2

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
42KB

MD5
8d1ed4b2d2e4a5814991d765e7478fc3

SHA1
b22ab3fe0ca83d9f9dc78a6b3210ef416b050120

SHA256
164ec7bd7720a1194e7879920739c610f05e586d84217dffc7352c36d58998ab

SHA512
a50e00e579bbfa8a062e541b1b624fea3ccdedc7c8e9f178a3fb72e93bd9903da1d0e36f9be821e13454fbfe0511fbd8b3ec2c2fce06b5300299127aeca941a2

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
42KB

MD5
8d1ed4b2d2e4a5814991d765e7478fc3

SHA1
b22ab3fe0ca83d9f9dc78a6b3210ef416b050120

SHA256
164ec7bd7720a1194e7879920739c610f05e586d84217dffc7352c36d58998ab

SHA512
a50e00e579bbfa8a062e541b1b624fea3ccdedc7c8e9f178a3fb72e93bd9903da1d0e36f9be821e13454fbfe0511fbd8b3ec2c2fce06b5300299127aeca941a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
2KB

MD5
1a1dce35d60d2c70ca8894954fd5d384

SHA1
58547dd65d506c892290755010d0232da34ee000

SHA256
2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

SHA512
4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
2KB

MD5
1a1dce35d60d2c70ca8894954fd5d384

SHA1
58547dd65d506c892290755010d0232da34ee000

SHA256
2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

SHA512
4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
2KB

MD5
1a1dce35d60d2c70ca8894954fd5d384

SHA1
58547dd65d506c892290755010d0232da34ee000

SHA256
2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

SHA512
4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

Download Submit
C:\Windows\Fonts\ Explorer.exe

Filesize
42KB

MD5
fe52d578d978ab387e6b13ed1fad5785

SHA1
a4b79d9b8873670b37a6aff4c4aff6dc160255e8

SHA256
747596c3ee5003f01a766ad1d22cb9493621a421d3b3ed862c5c12be2fda598e

SHA512
22d92135fab75f1698c3663345ee4fcf10c550fa87195efbf5dd094954adae9eb5c42b47a6a55a1690efb32d0a17458ff03dadbfbcef40bf244571ac03dcee15

Download Submit
C:\Windows\Fonts\ Explorer.exe

Filesize
42KB

MD5
f9a64acfba4b97e44edf69ff3ea3a046

SHA1
1e197dd159bc7a448347bb3f49bd7fc2b52731eb

SHA256
9739bd5f2f155521d7720f512148a07f55a04dc8749cbafd3df9117355b46a2e

SHA512
78519e338b38069d530d473b9a65b69b82cf4a34c32a5fe0131b3d9899364448269af69bb8cef6531535e6fcbb955eba337fd1c3a9d1ff9bdf0e2b11f7b40274

Download Submit
C:\Windows\Fonts\ Explorer.exe

Filesize
42KB

MD5
fe52d578d978ab387e6b13ed1fad5785

SHA1
a4b79d9b8873670b37a6aff4c4aff6dc160255e8

SHA256
747596c3ee5003f01a766ad1d22cb9493621a421d3b3ed862c5c12be2fda598e

SHA512
22d92135fab75f1698c3663345ee4fcf10c550fa87195efbf5dd094954adae9eb5c42b47a6a55a1690efb32d0a17458ff03dadbfbcef40bf244571ac03dcee15

Download Submit
C:\recycled\CTFMON.EXE

Filesize
42KB

MD5
95d7b426abee9540c6d7dec340e69408

SHA1
8cc1df66a1617c08826d31db767d9cf3394d2386

SHA256
c3454069475ea0f4831da03b6fd7c4086c3c64726f0dc79ba7d8772f48009aeb

SHA512
5c13b595d8c725bd5455ac6c9d6806eecab88f69a6ee563456bdfb65feb8fa59dda47c44fc734b8c6bc5fd7c3a87e1dbc57337bbe82319de1425b2ec023118b1

Download Submit
C:\recycled\SPOOLSV.EXE

Filesize
42KB

MD5
474afda8085bb87a627fd1d82bd6d03b

SHA1
3f4a588d2b351eb47705db32a0ea10de975121f8

SHA256
ae1ae763ba897d9be07d1ae9f1ebd07c7343bf5d334c1b3144ef0b5a1336e248

SHA512
32b50b9dcc9715ffca660e6315bdf63a6907c0e73deafd1b7e5c6bc372b405bc0bf5de0b1f37eefe40d6f3a96471a6b4b4e0961c6ca7c8c7e8e13da33f135eed

Download Submit
C:\recycled\SVCHOST.exe

Filesize
42KB

MD5
8d1ed4b2d2e4a5814991d765e7478fc3

SHA1
b22ab3fe0ca83d9f9dc78a6b3210ef416b050120

SHA256
164ec7bd7720a1194e7879920739c610f05e586d84217dffc7352c36d58998ab

SHA512
a50e00e579bbfa8a062e541b1b624fea3ccdedc7c8e9f178a3fb72e93bd9903da1d0e36f9be821e13454fbfe0511fbd8b3ec2c2fce06b5300299127aeca941a2

Download Submit
\Recycled\CTFMON.EXE

Filesize
42KB

MD5
95d7b426abee9540c6d7dec340e69408

SHA1
8cc1df66a1617c08826d31db767d9cf3394d2386

SHA256
c3454069475ea0f4831da03b6fd7c4086c3c64726f0dc79ba7d8772f48009aeb

SHA512
5c13b595d8c725bd5455ac6c9d6806eecab88f69a6ee563456bdfb65feb8fa59dda47c44fc734b8c6bc5fd7c3a87e1dbc57337bbe82319de1425b2ec023118b1

Download Submit
\Recycled\CTFMON.EXE

Filesize
42KB

MD5
95d7b426abee9540c6d7dec340e69408

SHA1
8cc1df66a1617c08826d31db767d9cf3394d2386

SHA256
c3454069475ea0f4831da03b6fd7c4086c3c64726f0dc79ba7d8772f48009aeb

SHA512
5c13b595d8c725bd5455ac6c9d6806eecab88f69a6ee563456bdfb65feb8fa59dda47c44fc734b8c6bc5fd7c3a87e1dbc57337bbe82319de1425b2ec023118b1

Download Submit
\Recycled\CTFMON.EXE

Filesize
42KB

MD5
95d7b426abee9540c6d7dec340e69408

SHA1
8cc1df66a1617c08826d31db767d9cf3394d2386

SHA256
c3454069475ea0f4831da03b6fd7c4086c3c64726f0dc79ba7d8772f48009aeb

SHA512
5c13b595d8c725bd5455ac6c9d6806eecab88f69a6ee563456bdfb65feb8fa59dda47c44fc734b8c6bc5fd7c3a87e1dbc57337bbe82319de1425b2ec023118b1

Download Submit
\Recycled\CTFMON.EXE

Filesize
42KB

MD5
95d7b426abee9540c6d7dec340e69408

SHA1
8cc1df66a1617c08826d31db767d9cf3394d2386

SHA256
c3454069475ea0f4831da03b6fd7c4086c3c64726f0dc79ba7d8772f48009aeb

SHA512
5c13b595d8c725bd5455ac6c9d6806eecab88f69a6ee563456bdfb65feb8fa59dda47c44fc734b8c6bc5fd7c3a87e1dbc57337bbe82319de1425b2ec023118b1

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
474afda8085bb87a627fd1d82bd6d03b

SHA1
3f4a588d2b351eb47705db32a0ea10de975121f8

SHA256
ae1ae763ba897d9be07d1ae9f1ebd07c7343bf5d334c1b3144ef0b5a1336e248

SHA512
32b50b9dcc9715ffca660e6315bdf63a6907c0e73deafd1b7e5c6bc372b405bc0bf5de0b1f37eefe40d6f3a96471a6b4b4e0961c6ca7c8c7e8e13da33f135eed

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
474afda8085bb87a627fd1d82bd6d03b

SHA1
3f4a588d2b351eb47705db32a0ea10de975121f8

SHA256
ae1ae763ba897d9be07d1ae9f1ebd07c7343bf5d334c1b3144ef0b5a1336e248

SHA512
32b50b9dcc9715ffca660e6315bdf63a6907c0e73deafd1b7e5c6bc372b405bc0bf5de0b1f37eefe40d6f3a96471a6b4b4e0961c6ca7c8c7e8e13da33f135eed

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
474afda8085bb87a627fd1d82bd6d03b

SHA1
3f4a588d2b351eb47705db32a0ea10de975121f8

SHA256
ae1ae763ba897d9be07d1ae9f1ebd07c7343bf5d334c1b3144ef0b5a1336e248

SHA512
32b50b9dcc9715ffca660e6315bdf63a6907c0e73deafd1b7e5c6bc372b405bc0bf5de0b1f37eefe40d6f3a96471a6b4b4e0961c6ca7c8c7e8e13da33f135eed

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
474afda8085bb87a627fd1d82bd6d03b

SHA1
3f4a588d2b351eb47705db32a0ea10de975121f8

SHA256
ae1ae763ba897d9be07d1ae9f1ebd07c7343bf5d334c1b3144ef0b5a1336e248

SHA512
32b50b9dcc9715ffca660e6315bdf63a6907c0e73deafd1b7e5c6bc372b405bc0bf5de0b1f37eefe40d6f3a96471a6b4b4e0961c6ca7c8c7e8e13da33f135eed

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
474afda8085bb87a627fd1d82bd6d03b

SHA1
3f4a588d2b351eb47705db32a0ea10de975121f8

SHA256
ae1ae763ba897d9be07d1ae9f1ebd07c7343bf5d334c1b3144ef0b5a1336e248

SHA512
32b50b9dcc9715ffca660e6315bdf63a6907c0e73deafd1b7e5c6bc372b405bc0bf5de0b1f37eefe40d6f3a96471a6b4b4e0961c6ca7c8c7e8e13da33f135eed

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
474afda8085bb87a627fd1d82bd6d03b

SHA1
3f4a588d2b351eb47705db32a0ea10de975121f8

SHA256
ae1ae763ba897d9be07d1ae9f1ebd07c7343bf5d334c1b3144ef0b5a1336e248

SHA512
32b50b9dcc9715ffca660e6315bdf63a6907c0e73deafd1b7e5c6bc372b405bc0bf5de0b1f37eefe40d6f3a96471a6b4b4e0961c6ca7c8c7e8e13da33f135eed

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
474afda8085bb87a627fd1d82bd6d03b

SHA1
3f4a588d2b351eb47705db32a0ea10de975121f8

SHA256
ae1ae763ba897d9be07d1ae9f1ebd07c7343bf5d334c1b3144ef0b5a1336e248

SHA512
32b50b9dcc9715ffca660e6315bdf63a6907c0e73deafd1b7e5c6bc372b405bc0bf5de0b1f37eefe40d6f3a96471a6b4b4e0961c6ca7c8c7e8e13da33f135eed

Download Submit
\Recycled\SVCHOST.EXE

Filesize
42KB

MD5
8d1ed4b2d2e4a5814991d765e7478fc3

SHA1
b22ab3fe0ca83d9f9dc78a6b3210ef416b050120

SHA256
164ec7bd7720a1194e7879920739c610f05e586d84217dffc7352c36d58998ab

SHA512
a50e00e579bbfa8a062e541b1b624fea3ccdedc7c8e9f178a3fb72e93bd9903da1d0e36f9be821e13454fbfe0511fbd8b3ec2c2fce06b5300299127aeca941a2

Download Submit
\Recycled\SVCHOST.EXE

Filesize
42KB

MD5
8d1ed4b2d2e4a5814991d765e7478fc3

SHA1
b22ab3fe0ca83d9f9dc78a6b3210ef416b050120

SHA256
164ec7bd7720a1194e7879920739c610f05e586d84217dffc7352c36d58998ab

SHA512
a50e00e579bbfa8a062e541b1b624fea3ccdedc7c8e9f178a3fb72e93bd9903da1d0e36f9be821e13454fbfe0511fbd8b3ec2c2fce06b5300299127aeca941a2

Download Submit
\Recycled\SVCHOST.EXE

Filesize
42KB

MD5
8d1ed4b2d2e4a5814991d765e7478fc3

SHA1
b22ab3fe0ca83d9f9dc78a6b3210ef416b050120

SHA256
164ec7bd7720a1194e7879920739c610f05e586d84217dffc7352c36d58998ab

SHA512
a50e00e579bbfa8a062e541b1b624fea3ccdedc7c8e9f178a3fb72e93bd9903da1d0e36f9be821e13454fbfe0511fbd8b3ec2c2fce06b5300299127aeca941a2

Download Submit
\Recycled\SVCHOST.EXE

Filesize
42KB

MD5
8d1ed4b2d2e4a5814991d765e7478fc3

SHA1
b22ab3fe0ca83d9f9dc78a6b3210ef416b050120

SHA256
164ec7bd7720a1194e7879920739c610f05e586d84217dffc7352c36d58998ab

SHA512
a50e00e579bbfa8a062e541b1b624fea3ccdedc7c8e9f178a3fb72e93bd9903da1d0e36f9be821e13454fbfe0511fbd8b3ec2c2fce06b5300299127aeca941a2

Download Submit
memory/648-88-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/984-165-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/984-103-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/984-125-0x0000000000500000-0x000000000051A000-memory.dmp

Filesize
104KB

Download
memory/984-166-0x0000000000500000-0x000000000051A000-memory.dmp

Filesize
104KB

Download
memory/1100-153-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1100-151-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1192-128-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1192-127-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1228-147-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1228-142-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1280-168-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/1280-164-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1280-102-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1280-134-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/1448-152-0x00000000006E0000-0x00000000006FA000-memory.dmp

Filesize
104KB

Download
memory/1448-101-0x00000000006E0000-0x00000000006FA000-memory.dmp

Filesize
104KB

Download
memory/1448-99-0x00000000006E0000-0x00000000006FA000-memory.dmp

Filesize
104KB

Download
memory/1448-141-0x00000000006E0000-0x00000000006FA000-memory.dmp

Filesize
104KB

Download
memory/1448-155-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1448-56-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/1448-94-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1480-71-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1528-115-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1616-156-0x00000000726D1000-0x00000000726D4000-memory.dmp

Filesize
12KB

Download
memory/1616-161-0x000000006B921000-0x000000006B923000-memory.dmp

Filesize
8KB

Download
memory/1616-163-0x000000007113D000-0x0000000071148000-memory.dmp

Filesize
44KB

Download
memory/1616-162-0x000000006B8E1000-0x000000006B8E3000-memory.dmp

Filesize
8KB

Download
memory/1616-157-0x0000000070151000-0x0000000070153000-memory.dmp

Filesize
8KB

Download
memory/1616-158-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1616-159-0x000000007113D000-0x0000000071148000-memory.dmp

Filesize
44KB

Download
memory/1692-93-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1816-126-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1816-167-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1944-136-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1944-135-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download