2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec

Analysis

max time kernel
177s
max time network
104s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
Size

255KB
MD5

72eb5945bda4d97f6d24459274c9df40
SHA1

bdab67f20e8a28fe9218f9da5412ff4495e7983d
SHA256

2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec
SHA512

48f0c7acafd8f52d2c276f521a733af3b01d0f0a1c8a228728ec9096d1f5f6198bed95c3ddfe9d404a2782915b8d47c0186220282e229c7e90a3cf95f4027c2f
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJb:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIq

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

lxtopqxieq.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lxtopqxieq.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

lxtopqxieq.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lxtopqxieq.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

lxtopqxieq.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	lxtopqxieq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	lxtopqxieq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	lxtopqxieq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	lxtopqxieq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	lxtopqxieq.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

lxtopqxieq.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lxtopqxieq.exe

Executes dropped EXE 6 IoCs

Processes:

lxtopqxieq.exekpycrnfizgbfyeq.exeosumckel.exettmtbovnsfswm.exettmtbovnsfswm.exeosumckel.exe

pid process

680 lxtopqxieq.exe
268 kpycrnfizgbfyeq.exe
324 osumckel.exe
1548 ttmtbovnsfswm.exe
568 ttmtbovnsfswm.exe
1140 osumckel.exe

pid	process
680	lxtopqxieq.exe
268	kpycrnfizgbfyeq.exe
324	osumckel.exe
1548	ttmtbovnsfswm.exe
568	ttmtbovnsfswm.exe
1140	osumckel.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/320-55-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
\Windows\SysWOW64\lxtopqxieq.exe	upx
C:\Windows\SysWOW64\lxtopqxieq.exe	upx
\Windows\SysWOW64\kpycrnfizgbfyeq.exe	upx
C:\Windows\SysWOW64\kpycrnfizgbfyeq.exe	upx
C:\Windows\SysWOW64\lxtopqxieq.exe	upx
C:\Windows\SysWOW64\kpycrnfizgbfyeq.exe	upx
\Windows\SysWOW64\osumckel.exe	upx
C:\Windows\SysWOW64\osumckel.exe	upx
behavioral1/memory/680-70-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
C:\Windows\SysWOW64\osumckel.exe	upx
behavioral1/memory/268-72-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/320-74-0x00000000032E0000-0x0000000003380000-memory.dmp	upx
\Windows\SysWOW64\ttmtbovnsfswm.exe	upx
behavioral1/memory/324-75-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
C:\Windows\SysWOW64\ttmtbovnsfswm.exe	upx
C:\Windows\SysWOW64\ttmtbovnsfswm.exe	upx
\Windows\SysWOW64\ttmtbovnsfswm.exe	upx
C:\Windows\SysWOW64\ttmtbovnsfswm.exe	upx
\Windows\SysWOW64\osumckel.exe	upx
C:\Windows\SysWOW64\osumckel.exe	upx
behavioral1/memory/320-91-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1548-92-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/568-93-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1140-95-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/268-101-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/324-103-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/680-102-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1548-104-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/568-105-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1140-106-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	upx
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	upx
C:\Users\Admin\Documents\ClearCheckpoint.doc.exe	upx
C:\Users\Admin\Documents\ImportProtect.doc.exe	upx
C:\Users\Admin\Documents\ResetReceive.doc.exe	upx

Loads dropped DLL 6 IoCs

Processes:

2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.execmd.exelxtopqxieq.exe

pid	process
320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
1760	cmd.exe
680	lxtopqxieq.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

lxtopqxieq.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	lxtopqxieq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	lxtopqxieq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	lxtopqxieq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	lxtopqxieq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	lxtopqxieq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	lxtopqxieq.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kpycrnfizgbfyeq.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	kpycrnfizgbfyeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nnmbmeov = "lxtopqxieq.exe"	kpycrnfizgbfyeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\skgphajy = "kpycrnfizgbfyeq.exe"	kpycrnfizgbfyeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ttmtbovnsfswm.exe"	kpycrnfizgbfyeq.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

lxtopqxieq.exeosumckel.exeosumckel.exe

description	ioc	process
File opened (read-only)	\??\v:	lxtopqxieq.exe
File opened (read-only)	\??\n:	osumckel.exe
File opened (read-only)	\??\u:	osumckel.exe
File opened (read-only)	\??\v:	osumckel.exe
File opened (read-only)	\??\p:	lxtopqxieq.exe
File opened (read-only)	\??\a:	osumckel.exe
File opened (read-only)	\??\f:	osumckel.exe
File opened (read-only)	\??\i:	osumckel.exe
File opened (read-only)	\??\x:	osumckel.exe
File opened (read-only)	\??\y:	osumckel.exe
File opened (read-only)	\??\l:	lxtopqxieq.exe
File opened (read-only)	\??\g:	osumckel.exe
File opened (read-only)	\??\t:	osumckel.exe
File opened (read-only)	\??\j:	osumckel.exe
File opened (read-only)	\??\f:	lxtopqxieq.exe
File opened (read-only)	\??\i:	lxtopqxieq.exe
File opened (read-only)	\??\o:	osumckel.exe
File opened (read-only)	\??\g:	lxtopqxieq.exe
File opened (read-only)	\??\j:	lxtopqxieq.exe
File opened (read-only)	\??\r:	lxtopqxieq.exe
File opened (read-only)	\??\n:	osumckel.exe
File opened (read-only)	\??\v:	osumckel.exe
File opened (read-only)	\??\h:	lxtopqxieq.exe
File opened (read-only)	\??\b:	osumckel.exe
File opened (read-only)	\??\m:	osumckel.exe
File opened (read-only)	\??\z:	osumckel.exe
File opened (read-only)	\??\e:	osumckel.exe
File opened (read-only)	\??\t:	osumckel.exe
File opened (read-only)	\??\w:	osumckel.exe
File opened (read-only)	\??\b:	lxtopqxieq.exe
File opened (read-only)	\??\q:	lxtopqxieq.exe
File opened (read-only)	\??\w:	lxtopqxieq.exe
File opened (read-only)	\??\l:	osumckel.exe
File opened (read-only)	\??\w:	osumckel.exe
File opened (read-only)	\??\h:	osumckel.exe
File opened (read-only)	\??\r:	osumckel.exe
File opened (read-only)	\??\e:	lxtopqxieq.exe
File opened (read-only)	\??\o:	lxtopqxieq.exe
File opened (read-only)	\??\q:	osumckel.exe
File opened (read-only)	\??\s:	osumckel.exe
File opened (read-only)	\??\e:	osumckel.exe
File opened (read-only)	\??\x:	lxtopqxieq.exe
File opened (read-only)	\??\f:	osumckel.exe
File opened (read-only)	\??\h:	osumckel.exe
File opened (read-only)	\??\g:	osumckel.exe
File opened (read-only)	\??\k:	lxtopqxieq.exe
File opened (read-only)	\??\k:	osumckel.exe
File opened (read-only)	\??\x:	osumckel.exe
File opened (read-only)	\??\y:	lxtopqxieq.exe
File opened (read-only)	\??\o:	osumckel.exe
File opened (read-only)	\??\q:	osumckel.exe
File opened (read-only)	\??\z:	osumckel.exe
File opened (read-only)	\??\m:	lxtopqxieq.exe
File opened (read-only)	\??\a:	osumckel.exe
File opened (read-only)	\??\m:	osumckel.exe
File opened (read-only)	\??\k:	osumckel.exe
File opened (read-only)	\??\p:	osumckel.exe
File opened (read-only)	\??\a:	lxtopqxieq.exe
File opened (read-only)	\??\z:	lxtopqxieq.exe
File opened (read-only)	\??\i:	osumckel.exe
File opened (read-only)	\??\r:	osumckel.exe
File opened (read-only)	\??\l:	osumckel.exe
File opened (read-only)	\??\n:	lxtopqxieq.exe
File opened (read-only)	\??\s:	lxtopqxieq.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

lxtopqxieq.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	lxtopqxieq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	lxtopqxieq.exe

AutoIT Executable 13 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/680-70-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/268-72-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/324-75-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/320-91-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1548-92-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/568-93-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1140-95-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/268-101-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/324-103-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/680-102-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1548-104-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/568-105-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1140-106-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

Processes:

2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exelxtopqxieq.exe

description	ioc	process
File created	C:\Windows\SysWOW64\lxtopqxieq.exe	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
File created	C:\Windows\SysWOW64\kpycrnfizgbfyeq.exe	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
File opened for modification	C:\Windows\SysWOW64\kpycrnfizgbfyeq.exe	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
File created	C:\Windows\SysWOW64\osumckel.exe	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lxtopqxieq.exe
File opened for modification	C:\Windows\SysWOW64\lxtopqxieq.exe	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
File opened for modification	C:\Windows\SysWOW64\osumckel.exe	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
File created	C:\Windows\SysWOW64\ttmtbovnsfswm.exe	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
File opened for modification	C:\Windows\SysWOW64\ttmtbovnsfswm.exe	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe

Drops file in Program Files directory 14 IoCs

Processes:

osumckel.exeosumckel.exe

description	ioc	process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	osumckel.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	osumckel.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	osumckel.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	osumckel.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	osumckel.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	osumckel.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	osumckel.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	osumckel.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	osumckel.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	osumckel.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	osumckel.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	osumckel.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	osumckel.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	osumckel.exe

Drops file in Windows directory 4 IoCs

Processes:

2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exeWINWORD.EXE

description	ioc	process
File opened for modification	C:\Windows\mydoc.rtf	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

lxtopqxieq.exeWINWORD.EXE2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	lxtopqxieq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	lxtopqxieq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF5FC83482D826E9141D7287E93BDE3E631594166446242D799"	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABEF9CBFE64F1E3840B3B30869D3998B3FC02884311033FE2BE429E09D2"	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	lxtopqxieq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1540 WINWORD.EXE

pid	process
1540	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exelxtopqxieq.exekpycrnfizgbfyeq.exeosumckel.exettmtbovnsfswm.exeosumckel.exettmtbovnsfswm.exe

pid	process
320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
680	lxtopqxieq.exe
680	lxtopqxieq.exe
680	lxtopqxieq.exe
680	lxtopqxieq.exe
680	lxtopqxieq.exe
320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
268	kpycrnfizgbfyeq.exe
268	kpycrnfizgbfyeq.exe
268	kpycrnfizgbfyeq.exe
268	kpycrnfizgbfyeq.exe
268	kpycrnfizgbfyeq.exe
324	osumckel.exe
324	osumckel.exe
324	osumckel.exe
324	osumckel.exe
568	ttmtbovnsfswm.exe
568	ttmtbovnsfswm.exe
568	ttmtbovnsfswm.exe
568	ttmtbovnsfswm.exe
568	ttmtbovnsfswm.exe
568	ttmtbovnsfswm.exe
1140	osumckel.exe
1140	osumckel.exe
1140	osumckel.exe
1140	osumckel.exe
268	kpycrnfizgbfyeq.exe
1548	ttmtbovnsfswm.exe
1548	ttmtbovnsfswm.exe
1548	ttmtbovnsfswm.exe
1548	ttmtbovnsfswm.exe
1548	ttmtbovnsfswm.exe
1548	ttmtbovnsfswm.exe
268	kpycrnfizgbfyeq.exe
568	ttmtbovnsfswm.exe
568	ttmtbovnsfswm.exe
268	kpycrnfizgbfyeq.exe
568	ttmtbovnsfswm.exe
568	ttmtbovnsfswm.exe
268	kpycrnfizgbfyeq.exe
1548	ttmtbovnsfswm.exe
1548	ttmtbovnsfswm.exe
568	ttmtbovnsfswm.exe
568	ttmtbovnsfswm.exe
268	kpycrnfizgbfyeq.exe
1548	ttmtbovnsfswm.exe
1548	ttmtbovnsfswm.exe
568	ttmtbovnsfswm.exe
568	ttmtbovnsfswm.exe
268	kpycrnfizgbfyeq.exe
1548	ttmtbovnsfswm.exe
1548	ttmtbovnsfswm.exe
568	ttmtbovnsfswm.exe
568	ttmtbovnsfswm.exe
268	kpycrnfizgbfyeq.exe
1548	ttmtbovnsfswm.exe
1548	ttmtbovnsfswm.exe
568	ttmtbovnsfswm.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeShutdownPrivilege	1708	explorer.exe
Token: SeShutdownPrivilege	1708	explorer.exe
Token: SeShutdownPrivilege	1708	explorer.exe
Token: SeShutdownPrivilege	1708	explorer.exe
Token: SeShutdownPrivilege	1708	explorer.exe
Token: SeShutdownPrivilege	1708	explorer.exe
Token: SeShutdownPrivilege	1708	explorer.exe
Token: SeShutdownPrivilege	1708	explorer.exe
Token: SeShutdownPrivilege	1708	explorer.exe
Token: SeShutdownPrivilege	1708	explorer.exe
Token: SeShutdownPrivilege	1708	explorer.exe
Token: SeShutdownPrivilege	1708	explorer.exe
Token: SeShutdownPrivilege	1708	explorer.exe
Token: SeShutdownPrivilege	1708	explorer.exe
Token: SeShutdownPrivilege	1708	explorer.exe
Token: SeShutdownPrivilege	1708	explorer.exe

Suspicious use of FindShellTrayWindow 62 IoCs

Processes:

2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exelxtopqxieq.exekpycrnfizgbfyeq.exeosumckel.exettmtbovnsfswm.exeosumckel.exettmtbovnsfswm.exeexplorer.exe

pid	process
320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
680	lxtopqxieq.exe
680	lxtopqxieq.exe
680	lxtopqxieq.exe
268	kpycrnfizgbfyeq.exe
268	kpycrnfizgbfyeq.exe
268	kpycrnfizgbfyeq.exe
324	osumckel.exe
324	osumckel.exe
324	osumckel.exe
568	ttmtbovnsfswm.exe
568	ttmtbovnsfswm.exe
568	ttmtbovnsfswm.exe
1140	osumckel.exe
1140	osumckel.exe
1140	osumckel.exe
1548	ttmtbovnsfswm.exe
1548	ttmtbovnsfswm.exe
1548	ttmtbovnsfswm.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe

Suspicious use of SendNotifyMessage 43 IoCs

Processes:

2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exelxtopqxieq.exekpycrnfizgbfyeq.exeosumckel.exettmtbovnsfswm.exeexplorer.exe

pid	process
320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
680	lxtopqxieq.exe
680	lxtopqxieq.exe
680	lxtopqxieq.exe
268	kpycrnfizgbfyeq.exe
268	kpycrnfizgbfyeq.exe
268	kpycrnfizgbfyeq.exe
324	osumckel.exe
324	osumckel.exe
324	osumckel.exe
568	ttmtbovnsfswm.exe
568	ttmtbovnsfswm.exe
568	ttmtbovnsfswm.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1540 WINWORD.EXE
1540 WINWORD.EXE

pid	process
1540	WINWORD.EXE
1540	WINWORD.EXE

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exekpycrnfizgbfyeq.execmd.exelxtopqxieq.exeWINWORD.EXE

description	pid	process	target process
PID 320 wrote to memory of 680	320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe	lxtopqxieq.exe
PID 320 wrote to memory of 680	320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe	lxtopqxieq.exe
PID 320 wrote to memory of 680	320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe	lxtopqxieq.exe
PID 320 wrote to memory of 680	320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe	lxtopqxieq.exe
PID 320 wrote to memory of 268	320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe	kpycrnfizgbfyeq.exe
PID 320 wrote to memory of 268	320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe	kpycrnfizgbfyeq.exe
PID 320 wrote to memory of 268	320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe	kpycrnfizgbfyeq.exe
PID 320 wrote to memory of 268	320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe	kpycrnfizgbfyeq.exe
PID 320 wrote to memory of 324	320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe	osumckel.exe
PID 320 wrote to memory of 324	320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe	osumckel.exe
PID 320 wrote to memory of 324	320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe	osumckel.exe
PID 320 wrote to memory of 324	320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe	osumckel.exe
PID 320 wrote to memory of 1548	320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe	ttmtbovnsfswm.exe
PID 320 wrote to memory of 1548	320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe	ttmtbovnsfswm.exe
PID 320 wrote to memory of 1548	320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe	ttmtbovnsfswm.exe
PID 320 wrote to memory of 1548	320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe	ttmtbovnsfswm.exe
PID 268 wrote to memory of 1760	268	kpycrnfizgbfyeq.exe	cmd.exe
PID 268 wrote to memory of 1760	268	kpycrnfizgbfyeq.exe	cmd.exe
PID 268 wrote to memory of 1760	268	kpycrnfizgbfyeq.exe	cmd.exe
PID 268 wrote to memory of 1760	268	kpycrnfizgbfyeq.exe	cmd.exe
PID 1760 wrote to memory of 568	1760	cmd.exe	ttmtbovnsfswm.exe
PID 1760 wrote to memory of 568	1760	cmd.exe	ttmtbovnsfswm.exe
PID 1760 wrote to memory of 568	1760	cmd.exe	ttmtbovnsfswm.exe
PID 1760 wrote to memory of 568	1760	cmd.exe	ttmtbovnsfswm.exe
PID 680 wrote to memory of 1140	680	lxtopqxieq.exe	osumckel.exe
PID 680 wrote to memory of 1140	680	lxtopqxieq.exe	osumckel.exe
PID 680 wrote to memory of 1140	680	lxtopqxieq.exe	osumckel.exe
PID 680 wrote to memory of 1140	680	lxtopqxieq.exe	osumckel.exe
PID 320 wrote to memory of 1540	320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe	WINWORD.EXE
PID 320 wrote to memory of 1540	320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe	WINWORD.EXE
PID 320 wrote to memory of 1540	320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe	WINWORD.EXE
PID 320 wrote to memory of 1540	320	2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe	WINWORD.EXE
PID 1540 wrote to memory of 1108	1540	WINWORD.EXE	splwow64.exe
PID 1540 wrote to memory of 1108	1540	WINWORD.EXE	splwow64.exe
PID 1540 wrote to memory of 1108	1540	WINWORD.EXE	splwow64.exe
PID 1540 wrote to memory of 1108	1540	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
"C:\Users\Admin\AppData\Local\Temp\2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:320
- C:\Windows\SysWOW64\lxtopqxieq.exe
  lxtopqxieq.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Windows\SysWOW64\osumckel.exe
    C:\Windows\system32\osumckel.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:1140
- C:\Windows\SysWOW64\kpycrnfizgbfyeq.exe
  kpycrnfizgbfyeq.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ttmtbovnsfswm.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\SysWOW64\ttmtbovnsfswm.exe
      ttmtbovnsfswm.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:568
- C:\Windows\SysWOW64\osumckel.exe
  osumckel.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:324
- C:\Windows\SysWOW64\ttmtbovnsfswm.exe
  ttmtbovnsfswm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:1548
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1108

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1708

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x534
1⤵
PID:940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
255KB

MD5
b8cb5bb226e7529baca631965fbaadfc

SHA1
30417d3a47d8082afe96f1dc225d19b461fa15ff

SHA256
3580ba0b63f535a8c590176ebeaaa1e5646827e92516c83f12859fff1144121a

SHA512
f7d89c9f6cb55a07450a6606a6dc26d6692216744e3ca169ce6aefc1f2c811f38643bd777b865e1a39edba3ffeb8007db36fe2dce3f194f07800f20efe0b8eab

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
255KB

MD5
e8a8017ca5b71be75d17d54fd3065982

SHA1
20c0983016c4490b81b77ac87c2c6dbfa18ed52d

SHA256
921d2a35afc06536a863b4ef45572e9ced8ff783e3c6d0d18c9ff0d5b346c64b

SHA512
c525755774e6b3dda4f96f85045bdd19155a030366dde04209a60213d33e617e263b18a9d1cfdb66977bb4b6e0054cf66cc0fb187173ca0ffa0cda505209cdb5

Download Submit
C:\Users\Admin\Documents\ClearCheckpoint.doc.exe

Filesize
255KB

MD5
25db157f07f75f7bf9b6e7184d2e6e1c

SHA1
17bb961fb3166c98ff34675eb8cf1aca58d43ec0

SHA256
9fa357590d574bcdc0a7b39f0e9a0435aa3d38502ff61778f674fde148fad0f3

SHA512
5573fcb4bb2b1f592ba23f45c7d5c49b1fae13a6b59e53183ea55271d9a007ccb4697ba9ef782f4b163a5a91e9c54e1839c7d2fb6762e4b5b89cd1a2630e6be3

Download Submit
C:\Users\Admin\Documents\ImportProtect.doc.exe

Filesize
255KB

MD5
5236ef5412789369394beb48fadb9c56

SHA1
c7ddfc7968fb35677c31a6e286527feabda3d6ec

SHA256
1160a580301b87fe444690e1cfdc462c8d7088fefe017898eed9498839763348

SHA512
4ac265e1d7b914147b0575830f77f0a63a64efc98f5f517062c3bba029c1ed5347981b2f9033c578efb6e4e2c51aec3bbcc904249210862ad6dfb085f70a99e5

Download Submit
C:\Users\Admin\Documents\ResetReceive.doc.exe

Filesize
255KB

MD5
803d7430e765259fb11837269ad34e72

SHA1
5bc1fd12f2314f135d0c35b7697ea9e5812cef08

SHA256
320eb2da1a678b4f6d500c8e08a8604d4afbe57621e1d2c26372a1df44bd8790

SHA512
b238d3192993c229e4094e93bf30c48294fe4f1bdf52e3b340504f65a2d5ed7a405951ee687c1ce91560109a8f3e7d584f3f0d2a40f5f653b94452a89c4d0657

Download Submit
C:\Windows\SysWOW64\kpycrnfizgbfyeq.exe

Filesize
255KB

MD5
cefcaec79f7795537f58995e492d659f

SHA1
68ada1e4a67bf9c081e269d25d9ead2d9f8b589d

SHA256
a85a6aee01b5290aec0119fc6abf48f9e7c29a9061d0093fba08529e58345bc5

SHA512
0afabfc8fdb44a1a8ea5028ed97f72485b6a9ef9f25a39de4fdf02b8b72e4ff98760fb903fae72bf59e4456fff763bac5c3b513418ab5ecceb25fb62cb44a071

Download Submit
C:\Windows\SysWOW64\kpycrnfizgbfyeq.exe

Filesize
255KB

MD5
cefcaec79f7795537f58995e492d659f

SHA1
68ada1e4a67bf9c081e269d25d9ead2d9f8b589d

SHA256
a85a6aee01b5290aec0119fc6abf48f9e7c29a9061d0093fba08529e58345bc5

SHA512
0afabfc8fdb44a1a8ea5028ed97f72485b6a9ef9f25a39de4fdf02b8b72e4ff98760fb903fae72bf59e4456fff763bac5c3b513418ab5ecceb25fb62cb44a071

Download Submit
C:\Windows\SysWOW64\lxtopqxieq.exe

Filesize
255KB

MD5
79f87f0da4dfd84bd1d2a80e931fdee4

SHA1
6aa92de8c82017da515196fea269569d3991b66d

SHA256
89baf2ce0110f2ab90394449e878f032f61d90052cad74aadf915aafe1f8e536

SHA512
135d14681266c5c00ba0c647332c1bd39ae44b01f4ae46b06aa24346c2a6d36f6aef330e4b1fadd699ff164b26e6717679177864153350dd557cefe6ec86da0d

Download Submit
C:\Windows\SysWOW64\lxtopqxieq.exe

Filesize
255KB

MD5
79f87f0da4dfd84bd1d2a80e931fdee4

SHA1
6aa92de8c82017da515196fea269569d3991b66d

SHA256
89baf2ce0110f2ab90394449e878f032f61d90052cad74aadf915aafe1f8e536

SHA512
135d14681266c5c00ba0c647332c1bd39ae44b01f4ae46b06aa24346c2a6d36f6aef330e4b1fadd699ff164b26e6717679177864153350dd557cefe6ec86da0d

Download Submit
C:\Windows\SysWOW64\osumckel.exe

Filesize
255KB

MD5
5cb722469069233fee5cd1e3f5d5ef78

SHA1
6cf0273aa38d230c1afca1f4e41e3385ca8124ef

SHA256
94f1739d9631642a25280a76487cdb99fe674999bb600993b829dddd64672a32

SHA512
1fdd04f5113cea27bc928e5e71ac8ab870819f00c59fbb28ff336cc404c4e652efb8aea6bbdcebf8df6e77e63e7b9d49d8d6c8477d03aaac891ac1f6a6dabc1c

Download Submit
C:\Windows\SysWOW64\osumckel.exe

Filesize
255KB

MD5
5cb722469069233fee5cd1e3f5d5ef78

SHA1
6cf0273aa38d230c1afca1f4e41e3385ca8124ef

SHA256
94f1739d9631642a25280a76487cdb99fe674999bb600993b829dddd64672a32

SHA512
1fdd04f5113cea27bc928e5e71ac8ab870819f00c59fbb28ff336cc404c4e652efb8aea6bbdcebf8df6e77e63e7b9d49d8d6c8477d03aaac891ac1f6a6dabc1c

Download Submit
C:\Windows\SysWOW64\osumckel.exe

Filesize
255KB

MD5
5cb722469069233fee5cd1e3f5d5ef78

SHA1
6cf0273aa38d230c1afca1f4e41e3385ca8124ef

SHA256
94f1739d9631642a25280a76487cdb99fe674999bb600993b829dddd64672a32

SHA512
1fdd04f5113cea27bc928e5e71ac8ab870819f00c59fbb28ff336cc404c4e652efb8aea6bbdcebf8df6e77e63e7b9d49d8d6c8477d03aaac891ac1f6a6dabc1c

Download Submit
C:\Windows\SysWOW64\ttmtbovnsfswm.exe

Filesize
255KB

MD5
e878fffd690bf9e4ac8fe985c2276a40

SHA1
199ddc79dfc1e5035b26480d80bcb16991bc7408

SHA256
a3597668ddc021fd260244c4253515c78470ec7b90c759b94dd8a93d72c0aac9

SHA512
38070c86f13473c0648930bc839e51855dacd5db91d62ce1c10d8e30a03d84292660911473f64d8cf0756255add51b0b19a2515e0f9aa9bb4336d5fe0f285cbb

Download Submit
C:\Windows\SysWOW64\ttmtbovnsfswm.exe

Filesize
255KB

MD5
e878fffd690bf9e4ac8fe985c2276a40

SHA1
199ddc79dfc1e5035b26480d80bcb16991bc7408

SHA256
a3597668ddc021fd260244c4253515c78470ec7b90c759b94dd8a93d72c0aac9

SHA512
38070c86f13473c0648930bc839e51855dacd5db91d62ce1c10d8e30a03d84292660911473f64d8cf0756255add51b0b19a2515e0f9aa9bb4336d5fe0f285cbb

Download Submit
C:\Windows\SysWOW64\ttmtbovnsfswm.exe

Filesize
255KB

MD5
e878fffd690bf9e4ac8fe985c2276a40

SHA1
199ddc79dfc1e5035b26480d80bcb16991bc7408

SHA256
a3597668ddc021fd260244c4253515c78470ec7b90c759b94dd8a93d72c0aac9

SHA512
38070c86f13473c0648930bc839e51855dacd5db91d62ce1c10d8e30a03d84292660911473f64d8cf0756255add51b0b19a2515e0f9aa9bb4336d5fe0f285cbb

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\kpycrnfizgbfyeq.exe

Filesize
255KB

MD5
cefcaec79f7795537f58995e492d659f

SHA1
68ada1e4a67bf9c081e269d25d9ead2d9f8b589d

SHA256
a85a6aee01b5290aec0119fc6abf48f9e7c29a9061d0093fba08529e58345bc5

SHA512
0afabfc8fdb44a1a8ea5028ed97f72485b6a9ef9f25a39de4fdf02b8b72e4ff98760fb903fae72bf59e4456fff763bac5c3b513418ab5ecceb25fb62cb44a071

Download Submit
\Windows\SysWOW64\lxtopqxieq.exe

Filesize
255KB

MD5
79f87f0da4dfd84bd1d2a80e931fdee4

SHA1
6aa92de8c82017da515196fea269569d3991b66d

SHA256
89baf2ce0110f2ab90394449e878f032f61d90052cad74aadf915aafe1f8e536

SHA512
135d14681266c5c00ba0c647332c1bd39ae44b01f4ae46b06aa24346c2a6d36f6aef330e4b1fadd699ff164b26e6717679177864153350dd557cefe6ec86da0d

Download Submit
\Windows\SysWOW64\osumckel.exe

Filesize
255KB

MD5
5cb722469069233fee5cd1e3f5d5ef78

SHA1
6cf0273aa38d230c1afca1f4e41e3385ca8124ef

SHA256
94f1739d9631642a25280a76487cdb99fe674999bb600993b829dddd64672a32

SHA512
1fdd04f5113cea27bc928e5e71ac8ab870819f00c59fbb28ff336cc404c4e652efb8aea6bbdcebf8df6e77e63e7b9d49d8d6c8477d03aaac891ac1f6a6dabc1c

Download Submit
\Windows\SysWOW64\osumckel.exe

Filesize
255KB

MD5
5cb722469069233fee5cd1e3f5d5ef78

SHA1
6cf0273aa38d230c1afca1f4e41e3385ca8124ef

SHA256
94f1739d9631642a25280a76487cdb99fe674999bb600993b829dddd64672a32

SHA512
1fdd04f5113cea27bc928e5e71ac8ab870819f00c59fbb28ff336cc404c4e652efb8aea6bbdcebf8df6e77e63e7b9d49d8d6c8477d03aaac891ac1f6a6dabc1c

Download Submit
\Windows\SysWOW64\ttmtbovnsfswm.exe

Filesize
255KB

MD5
e878fffd690bf9e4ac8fe985c2276a40

SHA1
199ddc79dfc1e5035b26480d80bcb16991bc7408

SHA256
a3597668ddc021fd260244c4253515c78470ec7b90c759b94dd8a93d72c0aac9

SHA512
38070c86f13473c0648930bc839e51855dacd5db91d62ce1c10d8e30a03d84292660911473f64d8cf0756255add51b0b19a2515e0f9aa9bb4336d5fe0f285cbb

Download Submit
\Windows\SysWOW64\ttmtbovnsfswm.exe

Filesize
255KB

MD5
e878fffd690bf9e4ac8fe985c2276a40

SHA1
199ddc79dfc1e5035b26480d80bcb16991bc7408

SHA256
a3597668ddc021fd260244c4253515c78470ec7b90c759b94dd8a93d72c0aac9

SHA512
38070c86f13473c0648930bc839e51855dacd5db91d62ce1c10d8e30a03d84292660911473f64d8cf0756255add51b0b19a2515e0f9aa9bb4336d5fe0f285cbb

Download Submit
memory/268-101-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/268-60-0x0000000000000000-mapping.dmp

Download
memory/268-72-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/320-55-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/320-54-0x0000000075EC1000-0x0000000075EC3000-memory.dmp

Filesize
8KB

Download
memory/320-74-0x00000000032E0000-0x0000000003380000-memory.dmp

Filesize
640KB

Download
memory/320-91-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/324-75-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/324-67-0x0000000000000000-mapping.dmp

Download
memory/324-103-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/568-105-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/568-82-0x0000000000000000-mapping.dmp

Download
memory/568-93-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/680-94-0x00000000038B0000-0x0000000003950000-memory.dmp

Filesize
640KB

Download
memory/680-57-0x0000000000000000-mapping.dmp

Download
memory/680-70-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/680-102-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1108-108-0x0000000000000000-mapping.dmp

Download
memory/1140-106-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1140-95-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1140-86-0x0000000000000000-mapping.dmp

Download
memory/1540-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1540-90-0x0000000000000000-mapping.dmp

Download
memory/1540-100-0x000000007198D000-0x0000000071998000-memory.dmp

Filesize
44KB

Download
memory/1540-97-0x00000000709A1000-0x00000000709A3000-memory.dmp

Filesize
8KB

Download
memory/1540-96-0x0000000072F21000-0x0000000072F24000-memory.dmp

Filesize
12KB

Download
memory/1548-76-0x0000000000000000-mapping.dmp

Download
memory/1548-104-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1548-92-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1708-89-0x000007FEFC381000-0x000007FEFC383000-memory.dmp

Filesize
8KB

Download
memory/1760-78-0x0000000000000000-mapping.dmp

Download