c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02

Analysis

max time kernel
152s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
Size

255KB
MD5

61507aec123d36be1cb4764fd14de856
SHA1

dddf303620edc157641ff233dcb2e8dd8f84ab14
SHA256

c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02
SHA512

81c89fa6d62c54e6b60114d06623c0f9065a5d8ed44987f02344e842cc0103e48e72e7ed5420fb44cdd6bec919b108ddf1260ce56a704b5402bdb85a1d668d1f
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJy:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIv

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

kecblicnie.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	kecblicnie.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

kecblicnie.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	kecblicnie.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

kecblicnie.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	kecblicnie.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	kecblicnie.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	kecblicnie.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	kecblicnie.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	kecblicnie.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

kecblicnie.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	kecblicnie.exe

Executes dropped EXE 6 IoCs

Processes:

kecblicnie.exepzihhlrlpsjpixe.exexpjvvwfb.exelkpfjljwymvwa.exexpjvvwfb.exelkpfjljwymvwa.exe

pid process

2044 kecblicnie.exe
1992 pzihhlrlpsjpixe.exe
1428 xpjvvwfb.exe
268 lkpfjljwymvwa.exe
636 xpjvvwfb.exe
1852 lkpfjljwymvwa.exe

pid	process
2044	kecblicnie.exe
1992	pzihhlrlpsjpixe.exe
1428	xpjvvwfb.exe
268	lkpfjljwymvwa.exe
636	xpjvvwfb.exe
1852	lkpfjljwymvwa.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\SysWOW64\kecblicnie.exe	upx
C:\Windows\SysWOW64\kecblicnie.exe	upx
\Windows\SysWOW64\pzihhlrlpsjpixe.exe	upx
C:\Windows\SysWOW64\pzihhlrlpsjpixe.exe	upx
C:\Windows\SysWOW64\kecblicnie.exe	upx
\Windows\SysWOW64\xpjvvwfb.exe	upx
C:\Windows\SysWOW64\pzihhlrlpsjpixe.exe	upx
C:\Windows\SysWOW64\xpjvvwfb.exe	upx
\Windows\SysWOW64\lkpfjljwymvwa.exe	upx
C:\Windows\SysWOW64\xpjvvwfb.exe	upx
C:\Windows\SysWOW64\lkpfjljwymvwa.exe	upx
C:\Windows\SysWOW64\lkpfjljwymvwa.exe	upx
\Windows\SysWOW64\xpjvvwfb.exe	upx
C:\Windows\SysWOW64\xpjvvwfb.exe	upx
\Windows\SysWOW64\lkpfjljwymvwa.exe	upx
C:\Windows\SysWOW64\lkpfjljwymvwa.exe	upx
behavioral1/memory/2044-86-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1280-84-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1428-88-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1992-87-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/268-89-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/636-90-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1852-91-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1280-93-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	upx
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	upx
behavioral1/memory/1992-103-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1428-104-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/268-105-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/2044-102-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/636-107-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1852-108-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/636-115-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1428-114-0x0000000000400000-0x00000000004A0000-memory.dmp	upx

Loads dropped DLL 6 IoCs

Processes:

c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exekecblicnie.execmd.exe

pid	process
1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
2044	kecblicnie.exe
1104	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

kecblicnie.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	kecblicnie.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	kecblicnie.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	kecblicnie.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	kecblicnie.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	kecblicnie.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	kecblicnie.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pzihhlrlpsjpixe.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	pzihhlrlpsjpixe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pczfihnn = "kecblicnie.exe"	pzihhlrlpsjpixe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hnrztait = "pzihhlrlpsjpixe.exe"	pzihhlrlpsjpixe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "lkpfjljwymvwa.exe"	pzihhlrlpsjpixe.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

xpjvvwfb.exexpjvvwfb.exekecblicnie.exe

description	ioc	process
File opened (read-only)	\??\m:	xpjvvwfb.exe
File opened (read-only)	\??\f:	xpjvvwfb.exe
File opened (read-only)	\??\n:	xpjvvwfb.exe
File opened (read-only)	\??\i:	xpjvvwfb.exe
File opened (read-only)	\??\n:	xpjvvwfb.exe
File opened (read-only)	\??\b:	kecblicnie.exe
File opened (read-only)	\??\s:	xpjvvwfb.exe
File opened (read-only)	\??\g:	kecblicnie.exe
File opened (read-only)	\??\w:	kecblicnie.exe
File opened (read-only)	\??\f:	xpjvvwfb.exe
File opened (read-only)	\??\k:	kecblicnie.exe
File opened (read-only)	\??\j:	xpjvvwfb.exe
File opened (read-only)	\??\l:	xpjvvwfb.exe
File opened (read-only)	\??\p:	xpjvvwfb.exe
File opened (read-only)	\??\w:	xpjvvwfb.exe
File opened (read-only)	\??\b:	xpjvvwfb.exe
File opened (read-only)	\??\t:	xpjvvwfb.exe
File opened (read-only)	\??\x:	xpjvvwfb.exe
File opened (read-only)	\??\t:	kecblicnie.exe
File opened (read-only)	\??\g:	xpjvvwfb.exe
File opened (read-only)	\??\h:	xpjvvwfb.exe
File opened (read-only)	\??\z:	xpjvvwfb.exe
File opened (read-only)	\??\a:	xpjvvwfb.exe
File opened (read-only)	\??\h:	xpjvvwfb.exe
File opened (read-only)	\??\l:	kecblicnie.exe
File opened (read-only)	\??\o:	kecblicnie.exe
File opened (read-only)	\??\l:	xpjvvwfb.exe
File opened (read-only)	\??\j:	kecblicnie.exe
File opened (read-only)	\??\y:	kecblicnie.exe
File opened (read-only)	\??\r:	xpjvvwfb.exe
File opened (read-only)	\??\q:	xpjvvwfb.exe
File opened (read-only)	\??\k:	xpjvvwfb.exe
File opened (read-only)	\??\w:	xpjvvwfb.exe
File opened (read-only)	\??\a:	kecblicnie.exe
File opened (read-only)	\??\m:	kecblicnie.exe
File opened (read-only)	\??\r:	kecblicnie.exe
File opened (read-only)	\??\s:	kecblicnie.exe
File opened (read-only)	\??\t:	xpjvvwfb.exe
File opened (read-only)	\??\m:	xpjvvwfb.exe
File opened (read-only)	\??\o:	xpjvvwfb.exe
File opened (read-only)	\??\q:	xpjvvwfb.exe
File opened (read-only)	\??\r:	xpjvvwfb.exe
File opened (read-only)	\??\v:	xpjvvwfb.exe
File opened (read-only)	\??\h:	kecblicnie.exe
File opened (read-only)	\??\x:	kecblicnie.exe
File opened (read-only)	\??\a:	xpjvvwfb.exe
File opened (read-only)	\??\u:	xpjvvwfb.exe
File opened (read-only)	\??\n:	kecblicnie.exe
File opened (read-only)	\??\s:	xpjvvwfb.exe
File opened (read-only)	\??\k:	xpjvvwfb.exe
File opened (read-only)	\??\x:	xpjvvwfb.exe
File opened (read-only)	\??\e:	xpjvvwfb.exe
File opened (read-only)	\??\o:	xpjvvwfb.exe
File opened (read-only)	\??\p:	xpjvvwfb.exe
File opened (read-only)	\??\u:	xpjvvwfb.exe
File opened (read-only)	\??\p:	kecblicnie.exe
File opened (read-only)	\??\i:	xpjvvwfb.exe
File opened (read-only)	\??\y:	xpjvvwfb.exe
File opened (read-only)	\??\f:	kecblicnie.exe
File opened (read-only)	\??\u:	kecblicnie.exe
File opened (read-only)	\??\j:	xpjvvwfb.exe
File opened (read-only)	\??\y:	xpjvvwfb.exe
File opened (read-only)	\??\e:	kecblicnie.exe
File opened (read-only)	\??\z:	kecblicnie.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

kecblicnie.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	kecblicnie.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	kecblicnie.exe

AutoIT Executable 16 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2044-86-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1280-84-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1428-88-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1992-87-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/268-89-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/636-90-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1852-91-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1280-93-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1992-103-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1428-104-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/268-105-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/2044-102-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/636-107-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1852-108-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/636-115-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1428-114-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

Processes:

c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exekecblicnie.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\kecblicnie.exe	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
File created	C:\Windows\SysWOW64\pzihhlrlpsjpixe.exe	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
File opened for modification	C:\Windows\SysWOW64\pzihhlrlpsjpixe.exe	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
File opened for modification	C:\Windows\SysWOW64\xpjvvwfb.exe	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
File created	C:\Windows\SysWOW64\lkpfjljwymvwa.exe	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
File created	C:\Windows\SysWOW64\kecblicnie.exe	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
File opened for modification	C:\Windows\SysWOW64\lkpfjljwymvwa.exe	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	kecblicnie.exe
File created	C:\Windows\SysWOW64\xpjvvwfb.exe	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe

Drops file in Program Files directory 15 IoCs

Processes:

xpjvvwfb.exexpjvvwfb.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	xpjvvwfb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	xpjvvwfb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	xpjvvwfb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	xpjvvwfb.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	xpjvvwfb.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	xpjvvwfb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	xpjvvwfb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	xpjvvwfb.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	xpjvvwfb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	xpjvvwfb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	xpjvvwfb.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	xpjvvwfb.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	xpjvvwfb.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	xpjvvwfb.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	xpjvvwfb.exe

Drops file in Windows directory 5 IoCs

Processes:

WINWORD.EXEc980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe

description	ioc	process
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXEc980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exekecblicnie.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB5F9BEF964F19183783B36819939E4B38F038C43620239E1BE45E808D6"	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1848C67F14E0DBB1B9C07CE5ED9737CD"	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFDFF8C4F5B85689132D72B7DE6BC95E640594A66416242D7EC"	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	kecblicnie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33332C7D9C5183226A3076A070252CA97D8764DC"	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	kecblicnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	kecblicnie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	kecblicnie.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	kecblicnie.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1888 WINWORD.EXE

pid	process
1888	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exekecblicnie.exepzihhlrlpsjpixe.exexpjvvwfb.exelkpfjljwymvwa.exexpjvvwfb.exelkpfjljwymvwa.exe

pid	process
1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
2044	kecblicnie.exe
2044	kecblicnie.exe
2044	kecblicnie.exe
2044	kecblicnie.exe
2044	kecblicnie.exe
1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
1992	pzihhlrlpsjpixe.exe
1992	pzihhlrlpsjpixe.exe
1992	pzihhlrlpsjpixe.exe
1992	pzihhlrlpsjpixe.exe
1992	pzihhlrlpsjpixe.exe
1428	xpjvvwfb.exe
1428	xpjvvwfb.exe
1428	xpjvvwfb.exe
1428	xpjvvwfb.exe
268	lkpfjljwymvwa.exe
268	lkpfjljwymvwa.exe
268	lkpfjljwymvwa.exe
268	lkpfjljwymvwa.exe
268	lkpfjljwymvwa.exe
268	lkpfjljwymvwa.exe
636	xpjvvwfb.exe
636	xpjvvwfb.exe
636	xpjvvwfb.exe
636	xpjvvwfb.exe
1852	lkpfjljwymvwa.exe
1852	lkpfjljwymvwa.exe
1852	lkpfjljwymvwa.exe
1852	lkpfjljwymvwa.exe
1852	lkpfjljwymvwa.exe
1852	lkpfjljwymvwa.exe
1992	pzihhlrlpsjpixe.exe
1992	pzihhlrlpsjpixe.exe
268	lkpfjljwymvwa.exe
268	lkpfjljwymvwa.exe
1852	lkpfjljwymvwa.exe
1852	lkpfjljwymvwa.exe
1992	pzihhlrlpsjpixe.exe
268	lkpfjljwymvwa.exe
268	lkpfjljwymvwa.exe
1852	lkpfjljwymvwa.exe
1852	lkpfjljwymvwa.exe
1992	pzihhlrlpsjpixe.exe
268	lkpfjljwymvwa.exe
268	lkpfjljwymvwa.exe
1852	lkpfjljwymvwa.exe
1852	lkpfjljwymvwa.exe
1992	pzihhlrlpsjpixe.exe
268	lkpfjljwymvwa.exe
268	lkpfjljwymvwa.exe
1852	lkpfjljwymvwa.exe
1852	lkpfjljwymvwa.exe
1992	pzihhlrlpsjpixe.exe
268	lkpfjljwymvwa.exe
268	lkpfjljwymvwa.exe
1852	lkpfjljwymvwa.exe
1852	lkpfjljwymvwa.exe

Suspicious use of FindShellTrayWindow 21 IoCs

Processes:

c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exekecblicnie.exepzihhlrlpsjpixe.exexpjvvwfb.exelkpfjljwymvwa.exexpjvvwfb.exelkpfjljwymvwa.exe

pid	process
1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
2044	kecblicnie.exe
2044	kecblicnie.exe
2044	kecblicnie.exe
1992	pzihhlrlpsjpixe.exe
1992	pzihhlrlpsjpixe.exe
1992	pzihhlrlpsjpixe.exe
1428	xpjvvwfb.exe
1428	xpjvvwfb.exe
1428	xpjvvwfb.exe
268	lkpfjljwymvwa.exe
268	lkpfjljwymvwa.exe
268	lkpfjljwymvwa.exe
636	xpjvvwfb.exe
636	xpjvvwfb.exe
636	xpjvvwfb.exe
1852	lkpfjljwymvwa.exe
1852	lkpfjljwymvwa.exe
1852	lkpfjljwymvwa.exe

Suspicious use of SendNotifyMessage 21 IoCs

Processes:

c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exekecblicnie.exepzihhlrlpsjpixe.exexpjvvwfb.exelkpfjljwymvwa.exexpjvvwfb.exelkpfjljwymvwa.exe

pid	process
1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
2044	kecblicnie.exe
2044	kecblicnie.exe
2044	kecblicnie.exe
1992	pzihhlrlpsjpixe.exe
1992	pzihhlrlpsjpixe.exe
1992	pzihhlrlpsjpixe.exe
1428	xpjvvwfb.exe
1428	xpjvvwfb.exe
1428	xpjvvwfb.exe
268	lkpfjljwymvwa.exe
268	lkpfjljwymvwa.exe
268	lkpfjljwymvwa.exe
636	xpjvvwfb.exe
636	xpjvvwfb.exe
636	xpjvvwfb.exe
1852	lkpfjljwymvwa.exe
1852	lkpfjljwymvwa.exe
1852	lkpfjljwymvwa.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1888 WINWORD.EXE
1888 WINWORD.EXE

pid	process
1888	WINWORD.EXE
1888	WINWORD.EXE

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exekecblicnie.exepzihhlrlpsjpixe.execmd.exeWINWORD.EXE

description	pid	process	target process
PID 1280 wrote to memory of 2044	1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe	kecblicnie.exe
PID 1280 wrote to memory of 2044	1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe	kecblicnie.exe
PID 1280 wrote to memory of 2044	1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe	kecblicnie.exe
PID 1280 wrote to memory of 2044	1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe	kecblicnie.exe
PID 1280 wrote to memory of 1992	1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe	pzihhlrlpsjpixe.exe
PID 1280 wrote to memory of 1992	1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe	pzihhlrlpsjpixe.exe
PID 1280 wrote to memory of 1992	1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe	pzihhlrlpsjpixe.exe
PID 1280 wrote to memory of 1992	1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe	pzihhlrlpsjpixe.exe
PID 1280 wrote to memory of 1428	1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe	xpjvvwfb.exe
PID 1280 wrote to memory of 1428	1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe	xpjvvwfb.exe
PID 1280 wrote to memory of 1428	1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe	xpjvvwfb.exe
PID 1280 wrote to memory of 1428	1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe	xpjvvwfb.exe
PID 1280 wrote to memory of 268	1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe	lkpfjljwymvwa.exe
PID 1280 wrote to memory of 268	1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe	lkpfjljwymvwa.exe
PID 1280 wrote to memory of 268	1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe	lkpfjljwymvwa.exe
PID 1280 wrote to memory of 268	1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe	lkpfjljwymvwa.exe
PID 2044 wrote to memory of 636	2044	kecblicnie.exe	xpjvvwfb.exe
PID 2044 wrote to memory of 636	2044	kecblicnie.exe	xpjvvwfb.exe
PID 2044 wrote to memory of 636	2044	kecblicnie.exe	xpjvvwfb.exe
PID 2044 wrote to memory of 636	2044	kecblicnie.exe	xpjvvwfb.exe
PID 1992 wrote to memory of 1104	1992	pzihhlrlpsjpixe.exe	cmd.exe
PID 1992 wrote to memory of 1104	1992	pzihhlrlpsjpixe.exe	cmd.exe
PID 1992 wrote to memory of 1104	1992	pzihhlrlpsjpixe.exe	cmd.exe
PID 1992 wrote to memory of 1104	1992	pzihhlrlpsjpixe.exe	cmd.exe
PID 1104 wrote to memory of 1852	1104	cmd.exe	lkpfjljwymvwa.exe
PID 1104 wrote to memory of 1852	1104	cmd.exe	lkpfjljwymvwa.exe
PID 1104 wrote to memory of 1852	1104	cmd.exe	lkpfjljwymvwa.exe
PID 1104 wrote to memory of 1852	1104	cmd.exe	lkpfjljwymvwa.exe
PID 1280 wrote to memory of 1888	1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe	WINWORD.EXE
PID 1280 wrote to memory of 1888	1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe	WINWORD.EXE
PID 1280 wrote to memory of 1888	1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe	WINWORD.EXE
PID 1280 wrote to memory of 1888	1280	c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe	WINWORD.EXE
PID 1888 wrote to memory of 768	1888	WINWORD.EXE	splwow64.exe
PID 1888 wrote to memory of 768	1888	WINWORD.EXE	splwow64.exe
PID 1888 wrote to memory of 768	1888	WINWORD.EXE	splwow64.exe
PID 1888 wrote to memory of 768	1888	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
"C:\Users\Admin\AppData\Local\Temp\c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\kecblicnie.exe
kecblicnie.exe
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\xpjvvwfb.exe
C:\Windows\system32\xpjvvwfb.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:636

C:\Windows\SysWOW64\pzihhlrlpsjpixe.exe
pzihhlrlpsjpixe.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c lkpfjljwymvwa.exe
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\lkpfjljwymvwa.exe
lkpfjljwymvwa.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1852

C:\Windows\SysWOW64\xpjvvwfb.exe
xpjvvwfb.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1428

C:\Windows\SysWOW64\lkpfjljwymvwa.exe
lkpfjljwymvwa.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:268

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
255KB

MD5
85a67e8fdace3f37391022bc16f74982

SHA1
d2ab27670fb59eea8202545fd2f71d7f801020f9

SHA256
0ed142a4cb4ca0c298444dfc36dbb879bbf3c355bc9e0ea408bb48bb71fb1572

SHA512
70a848a4ee430bd6d31ac0fce731877719d88881d3a90b3bee2f2e8d0fa52fef454f3e23dac5cd7a5495ff03de263274502070216eddf3ba4167b8c417f17c1c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
255KB

MD5
3089cceeed7edef933295a0a91225893

SHA1
14d1d7837b800892f2f3e3db702e37ed47d87b62

SHA256
3620143881822ea5c91b3dfc065810e1972de04a7c39fe9bfb3b642a825cff25

SHA512
3cf903ed17aea38592af671c753a5f58b9a3b01f5b106b32c931be9a4ab0c72f21a93e183a40e45a1327ad7a4a0f4b225638c70162b9331b43fc70d88cb2f613

Download Submit
C:\Windows\SysWOW64\kecblicnie.exe

Filesize
255KB

MD5
9a83faf3fe80fb5f57899849c3b82454

SHA1
a3c54d647f79d9233a18c5dfa4e2898e6be2107f

SHA256
4ce148e1fe8cf6a746f425b756c9bdb48e127fbd474d0e4af448ffdd8bd65347

SHA512
9837b1c96cf1d7233f1d3225411e0b390f9fdd067856f18f3762d3ec9b9f0d287b07a28fd27869e703f85a66f770209ea1b344149914fc9b4110e25d6c053ea8

Download Submit
C:\Windows\SysWOW64\kecblicnie.exe

Filesize
255KB

MD5
9a83faf3fe80fb5f57899849c3b82454

SHA1
a3c54d647f79d9233a18c5dfa4e2898e6be2107f

SHA256
4ce148e1fe8cf6a746f425b756c9bdb48e127fbd474d0e4af448ffdd8bd65347

SHA512
9837b1c96cf1d7233f1d3225411e0b390f9fdd067856f18f3762d3ec9b9f0d287b07a28fd27869e703f85a66f770209ea1b344149914fc9b4110e25d6c053ea8

Download Submit
C:\Windows\SysWOW64\lkpfjljwymvwa.exe

Filesize
255KB

MD5
b6105e6f11e512db59738211d3f247eb

SHA1
4b04bc43890c3fe4f4980ed0841a2f0ea346e5ba

SHA256
064903f52739a01be7402da915fcecc8981a971ced228493aa74e6c41444f084

SHA512
e8dd8a74418c8ed74a5683ef1e2a88c1d4bc0bebdcfaece35665cb3686d160b3e089209bfddb8f2ea8f7d402943072c1ecd7e7cd1169a66e82fbdf773c1e5444

Download Submit
C:\Windows\SysWOW64\lkpfjljwymvwa.exe

Filesize
255KB

MD5
b6105e6f11e512db59738211d3f247eb

SHA1
4b04bc43890c3fe4f4980ed0841a2f0ea346e5ba

SHA256
064903f52739a01be7402da915fcecc8981a971ced228493aa74e6c41444f084

SHA512
e8dd8a74418c8ed74a5683ef1e2a88c1d4bc0bebdcfaece35665cb3686d160b3e089209bfddb8f2ea8f7d402943072c1ecd7e7cd1169a66e82fbdf773c1e5444

Download Submit
C:\Windows\SysWOW64\lkpfjljwymvwa.exe

Filesize
255KB

MD5
b6105e6f11e512db59738211d3f247eb

SHA1
4b04bc43890c3fe4f4980ed0841a2f0ea346e5ba

SHA256
064903f52739a01be7402da915fcecc8981a971ced228493aa74e6c41444f084

SHA512
e8dd8a74418c8ed74a5683ef1e2a88c1d4bc0bebdcfaece35665cb3686d160b3e089209bfddb8f2ea8f7d402943072c1ecd7e7cd1169a66e82fbdf773c1e5444

Download Submit
C:\Windows\SysWOW64\pzihhlrlpsjpixe.exe

Filesize
255KB

MD5
705490ebfc4b45c0437100eef132ea68

SHA1
4d69e087c86a60d943d9971227ac6a77300ec345

SHA256
c2be219724fd0475024a188b33855746d7816a3851982f3b1c9a45b81da0d482

SHA512
48b616563e327ef579b2147250d2f249fa4e617d5f04a0b32afa724b34f090e0952d424b41ff6232edb686ddf535c92633ed876e0a0eda305a36ae72d944c14d

Download Submit
C:\Windows\SysWOW64\pzihhlrlpsjpixe.exe

Filesize
255KB

MD5
705490ebfc4b45c0437100eef132ea68

SHA1
4d69e087c86a60d943d9971227ac6a77300ec345

SHA256
c2be219724fd0475024a188b33855746d7816a3851982f3b1c9a45b81da0d482

SHA512
48b616563e327ef579b2147250d2f249fa4e617d5f04a0b32afa724b34f090e0952d424b41ff6232edb686ddf535c92633ed876e0a0eda305a36ae72d944c14d

Download Submit
C:\Windows\SysWOW64\xpjvvwfb.exe

Filesize
255KB

MD5
8574b8909148831c953481ba3d733b7d

SHA1
8ee7a939a82434140b04ff73d6d47bbb390e1fe8

SHA256
4f8b1332322f9efac26ece6ed594197aec878d93bf7b945a6972126aeddc34c6

SHA512
d37cf5674a2b1518d382798efc6a304e24d1027cb043806a8ad4fe48645be1f200096a0083cdd9a1aa8dd80b85eb7ff62ae5498affcda2b7a66fa6e11bfab54a

Download Submit
C:\Windows\SysWOW64\xpjvvwfb.exe

Filesize
255KB

MD5
8574b8909148831c953481ba3d733b7d

SHA1
8ee7a939a82434140b04ff73d6d47bbb390e1fe8

SHA256
4f8b1332322f9efac26ece6ed594197aec878d93bf7b945a6972126aeddc34c6

SHA512
d37cf5674a2b1518d382798efc6a304e24d1027cb043806a8ad4fe48645be1f200096a0083cdd9a1aa8dd80b85eb7ff62ae5498affcda2b7a66fa6e11bfab54a

Download Submit
C:\Windows\SysWOW64\xpjvvwfb.exe

Filesize
255KB

MD5
8574b8909148831c953481ba3d733b7d

SHA1
8ee7a939a82434140b04ff73d6d47bbb390e1fe8

SHA256
4f8b1332322f9efac26ece6ed594197aec878d93bf7b945a6972126aeddc34c6

SHA512
d37cf5674a2b1518d382798efc6a304e24d1027cb043806a8ad4fe48645be1f200096a0083cdd9a1aa8dd80b85eb7ff62ae5498affcda2b7a66fa6e11bfab54a

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\kecblicnie.exe

Filesize
255KB

MD5
9a83faf3fe80fb5f57899849c3b82454

SHA1
a3c54d647f79d9233a18c5dfa4e2898e6be2107f

SHA256
4ce148e1fe8cf6a746f425b756c9bdb48e127fbd474d0e4af448ffdd8bd65347

SHA512
9837b1c96cf1d7233f1d3225411e0b390f9fdd067856f18f3762d3ec9b9f0d287b07a28fd27869e703f85a66f770209ea1b344149914fc9b4110e25d6c053ea8

Download Submit
\Windows\SysWOW64\lkpfjljwymvwa.exe

Filesize
255KB

MD5
b6105e6f11e512db59738211d3f247eb

SHA1
4b04bc43890c3fe4f4980ed0841a2f0ea346e5ba

SHA256
064903f52739a01be7402da915fcecc8981a971ced228493aa74e6c41444f084

SHA512
e8dd8a74418c8ed74a5683ef1e2a88c1d4bc0bebdcfaece35665cb3686d160b3e089209bfddb8f2ea8f7d402943072c1ecd7e7cd1169a66e82fbdf773c1e5444

Download Submit
\Windows\SysWOW64\lkpfjljwymvwa.exe

Filesize
255KB

MD5
b6105e6f11e512db59738211d3f247eb

SHA1
4b04bc43890c3fe4f4980ed0841a2f0ea346e5ba

SHA256
064903f52739a01be7402da915fcecc8981a971ced228493aa74e6c41444f084

SHA512
e8dd8a74418c8ed74a5683ef1e2a88c1d4bc0bebdcfaece35665cb3686d160b3e089209bfddb8f2ea8f7d402943072c1ecd7e7cd1169a66e82fbdf773c1e5444

Download Submit
\Windows\SysWOW64\pzihhlrlpsjpixe.exe

Filesize
255KB

MD5
705490ebfc4b45c0437100eef132ea68

SHA1
4d69e087c86a60d943d9971227ac6a77300ec345

SHA256
c2be219724fd0475024a188b33855746d7816a3851982f3b1c9a45b81da0d482

SHA512
48b616563e327ef579b2147250d2f249fa4e617d5f04a0b32afa724b34f090e0952d424b41ff6232edb686ddf535c92633ed876e0a0eda305a36ae72d944c14d

Download Submit
\Windows\SysWOW64\xpjvvwfb.exe

Filesize
255KB

MD5
8574b8909148831c953481ba3d733b7d

SHA1
8ee7a939a82434140b04ff73d6d47bbb390e1fe8

SHA256
4f8b1332322f9efac26ece6ed594197aec878d93bf7b945a6972126aeddc34c6

SHA512
d37cf5674a2b1518d382798efc6a304e24d1027cb043806a8ad4fe48645be1f200096a0083cdd9a1aa8dd80b85eb7ff62ae5498affcda2b7a66fa6e11bfab54a

Download Submit
\Windows\SysWOW64\xpjvvwfb.exe

Filesize
255KB

MD5
8574b8909148831c953481ba3d733b7d

SHA1
8ee7a939a82434140b04ff73d6d47bbb390e1fe8

SHA256
4f8b1332322f9efac26ece6ed594197aec878d93bf7b945a6972126aeddc34c6

SHA512
d37cf5674a2b1518d382798efc6a304e24d1027cb043806a8ad4fe48645be1f200096a0083cdd9a1aa8dd80b85eb7ff62ae5498affcda2b7a66fa6e11bfab54a

Download Submit
memory/268-105-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/268-89-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/268-70-0x0000000000000000-mapping.dmp

Download
memory/636-107-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/636-76-0x0000000000000000-mapping.dmp

Download
memory/636-115-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/636-90-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/768-111-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

Filesize
8KB

Download
memory/768-110-0x0000000000000000-mapping.dmp

Download
memory/1104-79-0x0000000000000000-mapping.dmp

Download
memory/1280-85-0x0000000002FC0000-0x0000000003060000-memory.dmp

Filesize
640KB

Download
memory/1280-84-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1280-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1280-93-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1428-104-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1428-88-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1428-66-0x0000000000000000-mapping.dmp

Download
memory/1428-114-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1852-91-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1852-108-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1852-81-0x0000000000000000-mapping.dmp

Download
memory/1888-112-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1888-98-0x0000000070F3D000-0x0000000070F48000-memory.dmp

Filesize
44KB

Download
memory/1888-113-0x0000000070F3D000-0x0000000070F48000-memory.dmp

Filesize
44KB

Download
memory/1888-92-0x0000000000000000-mapping.dmp

Download
memory/1888-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1888-109-0x0000000070F3D000-0x0000000070F48000-memory.dmp

Filesize
44KB

Download
memory/1888-94-0x00000000724D1000-0x00000000724D4000-memory.dmp

Filesize
12KB

Download
memory/1888-95-0x000000006FF51000-0x000000006FF53000-memory.dmp

Filesize
8KB

Download
memory/1992-103-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1992-87-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1992-60-0x0000000000000000-mapping.dmp

Download
memory/2044-86-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2044-106-0x0000000003860000-0x0000000003900000-memory.dmp

Filesize
640KB

Download
memory/2044-102-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2044-56-0x0000000000000000-mapping.dmp

Download