Analysis
-
max time kernel
152s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 21:05
Behavioral task
behavioral1
Sample
469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe
Resource
win10v2004-20221111-en
General
-
Target
469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe
-
Size
255KB
-
MD5
1cfd38e26a69b5131995dba56e0fdaeb
-
SHA1
07aa7e5b70a48346043873cf61460e251146e0aa
-
SHA256
469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0
-
SHA512
b5f8048843937307f60302062b6e1b109bbcc735eb83555e24c728867071b65441675f8e4587993dbea7cc31315c14a0d7633a205cd96b37fb1d3bc139bf9b84
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJo:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIH
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
aizylfexbp.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" aizylfexbp.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
aizylfexbp.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" aizylfexbp.exe -
Processes:
aizylfexbp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" aizylfexbp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" aizylfexbp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" aizylfexbp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" aizylfexbp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" aizylfexbp.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
aizylfexbp.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" aizylfexbp.exe -
Executes dropped EXE 6 IoCs
Processes:
aizylfexbp.exewofqovtlwhhgckl.exebvihyrar.exeohqqjgyfjqnbr.exeohqqjgyfjqnbr.exebvihyrar.exepid process 1160 aizylfexbp.exe 1360 wofqovtlwhhgckl.exe 576 bvihyrar.exe 1648 ohqqjgyfjqnbr.exe 1032 ohqqjgyfjqnbr.exe 1204 bvihyrar.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Processes:
resource yara_rule behavioral1/memory/1492-55-0x0000000000400000-0x00000000004A0000-memory.dmp upx \Windows\SysWOW64\aizylfexbp.exe upx C:\Windows\SysWOW64\aizylfexbp.exe upx \Windows\SysWOW64\wofqovtlwhhgckl.exe upx C:\Windows\SysWOW64\aizylfexbp.exe upx C:\Windows\SysWOW64\wofqovtlwhhgckl.exe upx \Windows\SysWOW64\bvihyrar.exe upx C:\Windows\SysWOW64\bvihyrar.exe upx C:\Windows\SysWOW64\wofqovtlwhhgckl.exe upx \Windows\SysWOW64\ohqqjgyfjqnbr.exe upx C:\Windows\SysWOW64\bvihyrar.exe upx C:\Windows\SysWOW64\ohqqjgyfjqnbr.exe upx C:\Windows\SysWOW64\ohqqjgyfjqnbr.exe upx \Windows\SysWOW64\ohqqjgyfjqnbr.exe upx C:\Windows\SysWOW64\ohqqjgyfjqnbr.exe upx \Windows\SysWOW64\bvihyrar.exe upx C:\Windows\SysWOW64\bvihyrar.exe upx behavioral1/memory/1160-86-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1648-90-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/576-89-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1204-92-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1032-91-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1360-88-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1492-94-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe upx \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe upx C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe upx C:\Users\Admin\Music\BlockSkip.doc.exe upx C:\Users\Admin\Music\BlockSkip.doc.exe upx behavioral1/memory/1160-110-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1360-111-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/576-112-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1032-114-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1648-113-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1204-115-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1204-117-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/576-118-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Loads dropped DLL 6 IoCs
Processes:
469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.execmd.exeaizylfexbp.exepid process 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe 1552 cmd.exe 1160 aizylfexbp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
aizylfexbp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" aizylfexbp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" aizylfexbp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" aizylfexbp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" aizylfexbp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" aizylfexbp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" aizylfexbp.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wofqovtlwhhgckl.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run wofqovtlwhhgckl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uuisbcls = "aizylfexbp.exe" wofqovtlwhhgckl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qvicuteb = "wofqovtlwhhgckl.exe" wofqovtlwhhgckl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ohqqjgyfjqnbr.exe" wofqovtlwhhgckl.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
bvihyrar.exeaizylfexbp.exebvihyrar.exedescription ioc process File opened (read-only) \??\h: bvihyrar.exe File opened (read-only) \??\s: aizylfexbp.exe File opened (read-only) \??\e: bvihyrar.exe File opened (read-only) \??\j: bvihyrar.exe File opened (read-only) \??\n: aizylfexbp.exe File opened (read-only) \??\f: bvihyrar.exe File opened (read-only) \??\k: bvihyrar.exe File opened (read-only) \??\y: bvihyrar.exe File opened (read-only) \??\i: bvihyrar.exe File opened (read-only) \??\n: bvihyrar.exe File opened (read-only) \??\p: bvihyrar.exe File opened (read-only) \??\t: bvihyrar.exe File opened (read-only) \??\a: aizylfexbp.exe File opened (read-only) \??\r: aizylfexbp.exe File opened (read-only) \??\t: aizylfexbp.exe File opened (read-only) \??\u: aizylfexbp.exe File opened (read-only) \??\v: aizylfexbp.exe File opened (read-only) \??\a: bvihyrar.exe File opened (read-only) \??\t: bvihyrar.exe File opened (read-only) \??\e: aizylfexbp.exe File opened (read-only) \??\h: aizylfexbp.exe File opened (read-only) \??\k: aizylfexbp.exe File opened (read-only) \??\n: bvihyrar.exe File opened (read-only) \??\a: bvihyrar.exe File opened (read-only) \??\s: bvihyrar.exe File opened (read-only) \??\i: aizylfexbp.exe File opened (read-only) \??\z: aizylfexbp.exe File opened (read-only) \??\o: bvihyrar.exe File opened (read-only) \??\e: bvihyrar.exe File opened (read-only) \??\j: bvihyrar.exe File opened (read-only) \??\k: bvihyrar.exe File opened (read-only) \??\o: bvihyrar.exe File opened (read-only) \??\q: bvihyrar.exe File opened (read-only) \??\z: bvihyrar.exe File opened (read-only) \??\g: bvihyrar.exe File opened (read-only) \??\l: bvihyrar.exe File opened (read-only) \??\r: bvihyrar.exe File opened (read-only) \??\s: bvihyrar.exe File opened (read-only) \??\f: bvihyrar.exe File opened (read-only) \??\v: bvihyrar.exe File opened (read-only) \??\b: bvihyrar.exe File opened (read-only) \??\w: bvihyrar.exe File opened (read-only) \??\y: bvihyrar.exe File opened (read-only) \??\j: aizylfexbp.exe File opened (read-only) \??\l: aizylfexbp.exe File opened (read-only) \??\p: aizylfexbp.exe File opened (read-only) \??\w: bvihyrar.exe File opened (read-only) \??\u: bvihyrar.exe File opened (read-only) \??\x: bvihyrar.exe File opened (read-only) \??\m: aizylfexbp.exe File opened (read-only) \??\b: bvihyrar.exe File opened (read-only) \??\m: bvihyrar.exe File opened (read-only) \??\l: bvihyrar.exe File opened (read-only) \??\m: bvihyrar.exe File opened (read-only) \??\f: aizylfexbp.exe File opened (read-only) \??\x: aizylfexbp.exe File opened (read-only) \??\p: bvihyrar.exe File opened (read-only) \??\g: bvihyrar.exe File opened (read-only) \??\v: bvihyrar.exe File opened (read-only) \??\g: aizylfexbp.exe File opened (read-only) \??\o: aizylfexbp.exe File opened (read-only) \??\q: aizylfexbp.exe File opened (read-only) \??\w: aizylfexbp.exe File opened (read-only) \??\y: aizylfexbp.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
aizylfexbp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" aizylfexbp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" aizylfexbp.exe -
AutoIT Executable 16 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/1492-55-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1160-86-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1648-90-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/576-89-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1204-92-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1032-91-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1360-88-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1492-94-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1160-110-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1360-111-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/576-112-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1032-114-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1648-113-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1204-115-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1204-117-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/576-118-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exeaizylfexbp.exedescription ioc process File opened for modification C:\Windows\SysWOW64\aizylfexbp.exe 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe File opened for modification C:\Windows\SysWOW64\wofqovtlwhhgckl.exe 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe File created C:\Windows\SysWOW64\ohqqjgyfjqnbr.exe 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe File created C:\Windows\SysWOW64\aizylfexbp.exe 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe File created C:\Windows\SysWOW64\bvihyrar.exe 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe File opened for modification C:\Windows\SysWOW64\bvihyrar.exe 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe File opened for modification C:\Windows\SysWOW64\ohqqjgyfjqnbr.exe 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll aizylfexbp.exe File created C:\Windows\SysWOW64\wofqovtlwhhgckl.exe 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe -
Drops file in Program Files directory 14 IoCs
Processes:
bvihyrar.exebvihyrar.exedescription ioc process File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bvihyrar.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bvihyrar.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bvihyrar.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bvihyrar.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bvihyrar.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal bvihyrar.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bvihyrar.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bvihyrar.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bvihyrar.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal bvihyrar.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bvihyrar.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bvihyrar.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal bvihyrar.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal bvihyrar.exe -
Drops file in Windows directory 4 IoCs
Processes:
469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch explorer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" explorer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEaizylfexbp.exeexplorer.exe469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" aizylfexbp.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFF8F4F5882699132D7207E9CBD92E141584667326345D6ED" 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC9FABBF96BF298837F3A47819F39E4B38802FC4360033EE1CD42EB08A6" 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33422C089D2382566A3076D670232DD67DF565D9" 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs aizylfexbp.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" aizylfexbp.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" aizylfexbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B02C47E739EA52BEB9D032EDD4C4" 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1908 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exeaizylfexbp.exewofqovtlwhhgckl.exebvihyrar.exeohqqjgyfjqnbr.exeohqqjgyfjqnbr.exebvihyrar.exepid process 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe 1160 aizylfexbp.exe 1160 aizylfexbp.exe 1160 aizylfexbp.exe 1160 aizylfexbp.exe 1160 aizylfexbp.exe 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe 1360 wofqovtlwhhgckl.exe 1360 wofqovtlwhhgckl.exe 1360 wofqovtlwhhgckl.exe 1360 wofqovtlwhhgckl.exe 1360 wofqovtlwhhgckl.exe 576 bvihyrar.exe 576 bvihyrar.exe 576 bvihyrar.exe 576 bvihyrar.exe 1648 ohqqjgyfjqnbr.exe 1648 ohqqjgyfjqnbr.exe 1648 ohqqjgyfjqnbr.exe 1648 ohqqjgyfjqnbr.exe 1648 ohqqjgyfjqnbr.exe 1648 ohqqjgyfjqnbr.exe 1032 ohqqjgyfjqnbr.exe 1032 ohqqjgyfjqnbr.exe 1032 ohqqjgyfjqnbr.exe 1032 ohqqjgyfjqnbr.exe 1032 ohqqjgyfjqnbr.exe 1032 ohqqjgyfjqnbr.exe 1204 bvihyrar.exe 1204 bvihyrar.exe 1204 bvihyrar.exe 1204 bvihyrar.exe 1360 wofqovtlwhhgckl.exe 1360 wofqovtlwhhgckl.exe 1648 ohqqjgyfjqnbr.exe 1648 ohqqjgyfjqnbr.exe 1032 ohqqjgyfjqnbr.exe 1032 ohqqjgyfjqnbr.exe 1360 wofqovtlwhhgckl.exe 1648 ohqqjgyfjqnbr.exe 1648 ohqqjgyfjqnbr.exe 1032 ohqqjgyfjqnbr.exe 1032 ohqqjgyfjqnbr.exe 1360 wofqovtlwhhgckl.exe 1648 ohqqjgyfjqnbr.exe 1648 ohqqjgyfjqnbr.exe 1032 ohqqjgyfjqnbr.exe 1032 ohqqjgyfjqnbr.exe 1360 wofqovtlwhhgckl.exe 1648 ohqqjgyfjqnbr.exe 1648 ohqqjgyfjqnbr.exe 1032 ohqqjgyfjqnbr.exe 1032 ohqqjgyfjqnbr.exe 1360 wofqovtlwhhgckl.exe 1648 ohqqjgyfjqnbr.exe 1648 ohqqjgyfjqnbr.exe 1032 ohqqjgyfjqnbr.exe 1032 ohqqjgyfjqnbr.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
explorer.exeAUDIODG.EXEexplorer.exedescription pid process Token: SeShutdownPrivilege 436 explorer.exe Token: SeShutdownPrivilege 436 explorer.exe Token: SeShutdownPrivilege 436 explorer.exe Token: SeShutdownPrivilege 436 explorer.exe Token: SeShutdownPrivilege 436 explorer.exe Token: SeShutdownPrivilege 436 explorer.exe Token: SeShutdownPrivilege 436 explorer.exe Token: SeShutdownPrivilege 436 explorer.exe Token: SeShutdownPrivilege 436 explorer.exe Token: SeShutdownPrivilege 436 explorer.exe Token: 33 1768 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1768 AUDIODG.EXE Token: 33 1768 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1768 AUDIODG.EXE Token: SeShutdownPrivilege 436 explorer.exe Token: SeShutdownPrivilege 436 explorer.exe Token: SeShutdownPrivilege 436 explorer.exe Token: SeShutdownPrivilege 436 explorer.exe Token: SeShutdownPrivilege 1576 explorer.exe Token: SeShutdownPrivilege 1576 explorer.exe Token: SeShutdownPrivilege 1576 explorer.exe Token: SeShutdownPrivilege 1576 explorer.exe Token: SeShutdownPrivilege 1576 explorer.exe Token: SeShutdownPrivilege 1576 explorer.exe Token: SeShutdownPrivilege 1576 explorer.exe Token: SeShutdownPrivilege 1576 explorer.exe Token: SeShutdownPrivilege 1576 explorer.exe Token: SeShutdownPrivilege 1576 explorer.exe Token: SeShutdownPrivilege 1576 explorer.exe Token: SeShutdownPrivilege 1576 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exeaizylfexbp.exewofqovtlwhhgckl.exebvihyrar.exeohqqjgyfjqnbr.exeohqqjgyfjqnbr.exebvihyrar.exeexplorer.exeWINWORD.EXEexplorer.exepid process 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe 1160 aizylfexbp.exe 1160 aizylfexbp.exe 1160 aizylfexbp.exe 1360 wofqovtlwhhgckl.exe 1360 wofqovtlwhhgckl.exe 1360 wofqovtlwhhgckl.exe 576 bvihyrar.exe 576 bvihyrar.exe 576 bvihyrar.exe 1648 ohqqjgyfjqnbr.exe 1648 ohqqjgyfjqnbr.exe 1648 ohqqjgyfjqnbr.exe 1032 ohqqjgyfjqnbr.exe 1032 ohqqjgyfjqnbr.exe 1032 ohqqjgyfjqnbr.exe 1204 bvihyrar.exe 1204 bvihyrar.exe 1204 bvihyrar.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 1908 WINWORD.EXE 1908 WINWORD.EXE 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe -
Suspicious use of SendNotifyMessage 53 IoCs
Processes:
469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exeaizylfexbp.exewofqovtlwhhgckl.exebvihyrar.exeohqqjgyfjqnbr.exeexplorer.exeexplorer.exepid process 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe 1160 aizylfexbp.exe 1160 aizylfexbp.exe 1160 aizylfexbp.exe 1360 wofqovtlwhhgckl.exe 1360 wofqovtlwhhgckl.exe 1360 wofqovtlwhhgckl.exe 576 bvihyrar.exe 576 bvihyrar.exe 576 bvihyrar.exe 1648 ohqqjgyfjqnbr.exe 1648 ohqqjgyfjqnbr.exe 1648 ohqqjgyfjqnbr.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1908 WINWORD.EXE 1908 WINWORD.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exewofqovtlwhhgckl.execmd.exeaizylfexbp.exedescription pid process target process PID 1492 wrote to memory of 1160 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe aizylfexbp.exe PID 1492 wrote to memory of 1160 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe aizylfexbp.exe PID 1492 wrote to memory of 1160 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe aizylfexbp.exe PID 1492 wrote to memory of 1160 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe aizylfexbp.exe PID 1492 wrote to memory of 1360 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe wofqovtlwhhgckl.exe PID 1492 wrote to memory of 1360 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe wofqovtlwhhgckl.exe PID 1492 wrote to memory of 1360 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe wofqovtlwhhgckl.exe PID 1492 wrote to memory of 1360 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe wofqovtlwhhgckl.exe PID 1492 wrote to memory of 576 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe bvihyrar.exe PID 1492 wrote to memory of 576 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe bvihyrar.exe PID 1492 wrote to memory of 576 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe bvihyrar.exe PID 1492 wrote to memory of 576 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe bvihyrar.exe PID 1492 wrote to memory of 1648 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe ohqqjgyfjqnbr.exe PID 1492 wrote to memory of 1648 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe ohqqjgyfjqnbr.exe PID 1492 wrote to memory of 1648 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe ohqqjgyfjqnbr.exe PID 1492 wrote to memory of 1648 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe ohqqjgyfjqnbr.exe PID 1360 wrote to memory of 1552 1360 wofqovtlwhhgckl.exe cmd.exe PID 1360 wrote to memory of 1552 1360 wofqovtlwhhgckl.exe cmd.exe PID 1360 wrote to memory of 1552 1360 wofqovtlwhhgckl.exe cmd.exe PID 1360 wrote to memory of 1552 1360 wofqovtlwhhgckl.exe cmd.exe PID 1552 wrote to memory of 1032 1552 cmd.exe ohqqjgyfjqnbr.exe PID 1552 wrote to memory of 1032 1552 cmd.exe ohqqjgyfjqnbr.exe PID 1552 wrote to memory of 1032 1552 cmd.exe ohqqjgyfjqnbr.exe PID 1552 wrote to memory of 1032 1552 cmd.exe ohqqjgyfjqnbr.exe PID 1160 wrote to memory of 1204 1160 aizylfexbp.exe bvihyrar.exe PID 1160 wrote to memory of 1204 1160 aizylfexbp.exe bvihyrar.exe PID 1160 wrote to memory of 1204 1160 aizylfexbp.exe bvihyrar.exe PID 1160 wrote to memory of 1204 1160 aizylfexbp.exe bvihyrar.exe PID 1492 wrote to memory of 1908 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe WINWORD.EXE PID 1492 wrote to memory of 1908 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe WINWORD.EXE PID 1492 wrote to memory of 1908 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe WINWORD.EXE PID 1492 wrote to memory of 1908 1492 469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe"C:\Users\Admin\AppData\Local\Temp\469fd656707a9e995050780b15d1c9c05f7e7850f18f7ece3c9f9b8bfe3177f0.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\aizylfexbp.exeaizylfexbp.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\bvihyrar.exeC:\Windows\system32\bvihyrar.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1204 -
C:\Windows\SysWOW64\wofqovtlwhhgckl.exewofqovtlwhhgckl.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ohqqjgyfjqnbr.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\ohqqjgyfjqnbr.exeohqqjgyfjqnbr.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1032 -
C:\Windows\SysWOW64\ohqqjgyfjqnbr.exeohqqjgyfjqnbr.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1648 -
C:\Windows\SysWOW64\bvihyrar.exebvihyrar.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:576 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1908
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:436
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5981⤵
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1576
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exeFilesize
255KB
MD5969d699262f4065fa2aa7059c6ecc92f
SHA13aac6a4a9d93c2f0d8d53bf71be5223329a6b4eb
SHA2568844509e59afe9d60b9745f1c353ae8478a18cf3de48176ecd5ae0919170ab42
SHA512ec5372ce0c0b3464f2cc99d00a4bbc298c80ffbc25ba1032a54a8df7ebc7799b0146be2d57993f942ae4a90ecfd4305662499aee5bb97da984b1293405434efa
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exeFilesize
255KB
MD5ec2809aae6ab9bfe04e9cfa5c41c61fe
SHA15de347fc62566eb30fa81a8a06d85681da1997fa
SHA2560c33219f581682af831d5cac654a9d366ec6d2bd70eed0b6ff7fcc967d8601f7
SHA51257959e8207e7e9cd4726469d3332d1dbb587e438d3cc4f07d12e769cd16f507c8c77886d10b6432e07271ee061f4e0d0b0e56a0fc7505a4d428e5bbd9464c4f4
-
C:\Users\Admin\Music\BlockSkip.doc.exeFilesize
255KB
MD505376fc12bb12bc75436f5f30537fe17
SHA1001166408fe3a2e4fde08af1ad04e7c6d68ff05d
SHA256c57cc26e569be9c1bfdfba25354a1d959cf82667418b3ead813cad716384a4db
SHA5121023c271626cd45de15c4702d30425162b273d99d1e928fcf695c06e18e67ff03f96e470215c38cbd6c12762e9e45365b8b7cccc2c872a31cc75e0ed65f1a675
-
C:\Users\Admin\Music\BlockSkip.doc.exeFilesize
255KB
MD505376fc12bb12bc75436f5f30537fe17
SHA1001166408fe3a2e4fde08af1ad04e7c6d68ff05d
SHA256c57cc26e569be9c1bfdfba25354a1d959cf82667418b3ead813cad716384a4db
SHA5121023c271626cd45de15c4702d30425162b273d99d1e928fcf695c06e18e67ff03f96e470215c38cbd6c12762e9e45365b8b7cccc2c872a31cc75e0ed65f1a675
-
C:\Windows\SysWOW64\aizylfexbp.exeFilesize
255KB
MD594cac2b174421822a48dd63cfd48e43c
SHA15fc9230f25f7a1a955275d1dc08ddeea4b3f9a5e
SHA256d001c021905643b2d19bad3d03a3b4dacea47863147094755b31987ae16102e3
SHA512ea1ffffd75f08c1f12aa60ce76be56b196864dd6ef0b910b9418b7f3e0b2b0c060c350d5f6e1cf57fe84b797a060ceafdf833d2da65243a672fc57e1c05fdcc8
-
C:\Windows\SysWOW64\aizylfexbp.exeFilesize
255KB
MD594cac2b174421822a48dd63cfd48e43c
SHA15fc9230f25f7a1a955275d1dc08ddeea4b3f9a5e
SHA256d001c021905643b2d19bad3d03a3b4dacea47863147094755b31987ae16102e3
SHA512ea1ffffd75f08c1f12aa60ce76be56b196864dd6ef0b910b9418b7f3e0b2b0c060c350d5f6e1cf57fe84b797a060ceafdf833d2da65243a672fc57e1c05fdcc8
-
C:\Windows\SysWOW64\bvihyrar.exeFilesize
255KB
MD53d2a15ecc3016c054bc7788a4bdfad4f
SHA1fe528fa8f4dccfcc58376712623a8ccdc84a9c78
SHA25624b81635d3883cad699015a74411ec017d9daae503dd33258682fba46613a0bf
SHA512d23e4e6a2166bca9c02d81730f7d77b2b58ecd1b5ab82e7f3ef0507f311acd77649b9602f9eddb702f631e30f7b0fa487f7c34bde12538e0cc2f4f320c90deae
-
C:\Windows\SysWOW64\bvihyrar.exeFilesize
255KB
MD53d2a15ecc3016c054bc7788a4bdfad4f
SHA1fe528fa8f4dccfcc58376712623a8ccdc84a9c78
SHA25624b81635d3883cad699015a74411ec017d9daae503dd33258682fba46613a0bf
SHA512d23e4e6a2166bca9c02d81730f7d77b2b58ecd1b5ab82e7f3ef0507f311acd77649b9602f9eddb702f631e30f7b0fa487f7c34bde12538e0cc2f4f320c90deae
-
C:\Windows\SysWOW64\bvihyrar.exeFilesize
255KB
MD53d2a15ecc3016c054bc7788a4bdfad4f
SHA1fe528fa8f4dccfcc58376712623a8ccdc84a9c78
SHA25624b81635d3883cad699015a74411ec017d9daae503dd33258682fba46613a0bf
SHA512d23e4e6a2166bca9c02d81730f7d77b2b58ecd1b5ab82e7f3ef0507f311acd77649b9602f9eddb702f631e30f7b0fa487f7c34bde12538e0cc2f4f320c90deae
-
C:\Windows\SysWOW64\ohqqjgyfjqnbr.exeFilesize
255KB
MD55e72229755249adcd07d12c97527a03b
SHA173216db238307cf8e12442173d9646b744a84830
SHA2561174701e40f4f9bd097b5f283778623dfbb5e80062f7d5b127b56a6019940c72
SHA512890be46710e0febad63fb56490adc28e8164648f6a97846e114e9d187cf0c2562878da321f55f9e5c9947d919f862638073024d069de575d7905cdac0e9fafb2
-
C:\Windows\SysWOW64\ohqqjgyfjqnbr.exeFilesize
255KB
MD55e72229755249adcd07d12c97527a03b
SHA173216db238307cf8e12442173d9646b744a84830
SHA2561174701e40f4f9bd097b5f283778623dfbb5e80062f7d5b127b56a6019940c72
SHA512890be46710e0febad63fb56490adc28e8164648f6a97846e114e9d187cf0c2562878da321f55f9e5c9947d919f862638073024d069de575d7905cdac0e9fafb2
-
C:\Windows\SysWOW64\ohqqjgyfjqnbr.exeFilesize
255KB
MD55e72229755249adcd07d12c97527a03b
SHA173216db238307cf8e12442173d9646b744a84830
SHA2561174701e40f4f9bd097b5f283778623dfbb5e80062f7d5b127b56a6019940c72
SHA512890be46710e0febad63fb56490adc28e8164648f6a97846e114e9d187cf0c2562878da321f55f9e5c9947d919f862638073024d069de575d7905cdac0e9fafb2
-
C:\Windows\SysWOW64\wofqovtlwhhgckl.exeFilesize
255KB
MD5f067fdbe64fa16a82fef2a26cce1f9ac
SHA191ee23b57c82983a46f7c05401e46974ca29b0f1
SHA2569681391061d62485073a9f966b95d8dbc6078a4891f9d478a6336ea9b6c9946c
SHA51284d238fda608e7b7b2449aa738a64a10529cb52b3d40733ecd14f590da1b24abc01345ebd9460858ccba50af44eb6d750f9419b769e7c844fdd3931c9303dabb
-
C:\Windows\SysWOW64\wofqovtlwhhgckl.exeFilesize
255KB
MD5f067fdbe64fa16a82fef2a26cce1f9ac
SHA191ee23b57c82983a46f7c05401e46974ca29b0f1
SHA2569681391061d62485073a9f966b95d8dbc6078a4891f9d478a6336ea9b6c9946c
SHA51284d238fda608e7b7b2449aa738a64a10529cb52b3d40733ecd14f590da1b24abc01345ebd9460858ccba50af44eb6d750f9419b769e7c844fdd3931c9303dabb
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exeFilesize
255KB
MD5ec2809aae6ab9bfe04e9cfa5c41c61fe
SHA15de347fc62566eb30fa81a8a06d85681da1997fa
SHA2560c33219f581682af831d5cac654a9d366ec6d2bd70eed0b6ff7fcc967d8601f7
SHA51257959e8207e7e9cd4726469d3332d1dbb587e438d3cc4f07d12e769cd16f507c8c77886d10b6432e07271ee061f4e0d0b0e56a0fc7505a4d428e5bbd9464c4f4
-
\Windows\SysWOW64\aizylfexbp.exeFilesize
255KB
MD594cac2b174421822a48dd63cfd48e43c
SHA15fc9230f25f7a1a955275d1dc08ddeea4b3f9a5e
SHA256d001c021905643b2d19bad3d03a3b4dacea47863147094755b31987ae16102e3
SHA512ea1ffffd75f08c1f12aa60ce76be56b196864dd6ef0b910b9418b7f3e0b2b0c060c350d5f6e1cf57fe84b797a060ceafdf833d2da65243a672fc57e1c05fdcc8
-
\Windows\SysWOW64\bvihyrar.exeFilesize
255KB
MD53d2a15ecc3016c054bc7788a4bdfad4f
SHA1fe528fa8f4dccfcc58376712623a8ccdc84a9c78
SHA25624b81635d3883cad699015a74411ec017d9daae503dd33258682fba46613a0bf
SHA512d23e4e6a2166bca9c02d81730f7d77b2b58ecd1b5ab82e7f3ef0507f311acd77649b9602f9eddb702f631e30f7b0fa487f7c34bde12538e0cc2f4f320c90deae
-
\Windows\SysWOW64\bvihyrar.exeFilesize
255KB
MD53d2a15ecc3016c054bc7788a4bdfad4f
SHA1fe528fa8f4dccfcc58376712623a8ccdc84a9c78
SHA25624b81635d3883cad699015a74411ec017d9daae503dd33258682fba46613a0bf
SHA512d23e4e6a2166bca9c02d81730f7d77b2b58ecd1b5ab82e7f3ef0507f311acd77649b9602f9eddb702f631e30f7b0fa487f7c34bde12538e0cc2f4f320c90deae
-
\Windows\SysWOW64\ohqqjgyfjqnbr.exeFilesize
255KB
MD55e72229755249adcd07d12c97527a03b
SHA173216db238307cf8e12442173d9646b744a84830
SHA2561174701e40f4f9bd097b5f283778623dfbb5e80062f7d5b127b56a6019940c72
SHA512890be46710e0febad63fb56490adc28e8164648f6a97846e114e9d187cf0c2562878da321f55f9e5c9947d919f862638073024d069de575d7905cdac0e9fafb2
-
\Windows\SysWOW64\ohqqjgyfjqnbr.exeFilesize
255KB
MD55e72229755249adcd07d12c97527a03b
SHA173216db238307cf8e12442173d9646b744a84830
SHA2561174701e40f4f9bd097b5f283778623dfbb5e80062f7d5b127b56a6019940c72
SHA512890be46710e0febad63fb56490adc28e8164648f6a97846e114e9d187cf0c2562878da321f55f9e5c9947d919f862638073024d069de575d7905cdac0e9fafb2
-
\Windows\SysWOW64\wofqovtlwhhgckl.exeFilesize
255KB
MD5f067fdbe64fa16a82fef2a26cce1f9ac
SHA191ee23b57c82983a46f7c05401e46974ca29b0f1
SHA2569681391061d62485073a9f966b95d8dbc6078a4891f9d478a6336ea9b6c9946c
SHA51284d238fda608e7b7b2449aa738a64a10529cb52b3d40733ecd14f590da1b24abc01345ebd9460858ccba50af44eb6d750f9419b769e7c844fdd3931c9303dabb
-
memory/436-98-0x000007FEFBF61000-0x000007FEFBF63000-memory.dmpFilesize
8KB
-
memory/576-112-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/576-67-0x0000000000000000-mapping.dmp
-
memory/576-118-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/576-89-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1032-78-0x0000000000000000-mapping.dmp
-
memory/1032-91-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1032-114-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1160-86-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1160-57-0x0000000000000000-mapping.dmp
-
memory/1160-110-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1204-92-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1204-117-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1204-115-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1204-82-0x0000000000000000-mapping.dmp
-
memory/1360-88-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1360-61-0x0000000000000000-mapping.dmp
-
memory/1360-111-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1492-87-0x00000000032D0000-0x0000000003370000-memory.dmpFilesize
640KB
-
memory/1492-94-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1492-55-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1492-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmpFilesize
8KB
-
memory/1492-85-0x00000000032D0000-0x0000000003370000-memory.dmpFilesize
640KB
-
memory/1552-76-0x0000000000000000-mapping.dmp
-
memory/1648-71-0x0000000000000000-mapping.dmp
-
memory/1648-90-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1648-113-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1908-101-0x0000000071A0D000-0x0000000071A18000-memory.dmpFilesize
44KB
-
memory/1908-97-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1908-96-0x0000000070A21000-0x0000000070A23000-memory.dmpFilesize
8KB
-
memory/1908-95-0x0000000072FA1000-0x0000000072FA4000-memory.dmpFilesize
12KB
-
memory/1908-102-0x000000006BEB1000-0x000000006BEB3000-memory.dmpFilesize
8KB
-
memory/1908-116-0x0000000071A0D000-0x0000000071A18000-memory.dmpFilesize
44KB
-
memory/1908-93-0x0000000000000000-mapping.dmp
-
memory/1908-103-0x000000006BE71000-0x000000006BE73000-memory.dmpFilesize
8KB