6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f

Analysis

max time kernel
151s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
Size

255KB
MD5

f33f9a02bf7fc7f49e1841154af69397
SHA1

637b5adf70bcecbf856404401af47ddceab442ad
SHA256

6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f
SHA512

916fcfceb6aa9e08645438834515dead60d221bf5b17b3ae22eed2456d9b098191013bcf7e9d6ef06407bba01116598bdfaa8d271cbdd7a768c84d74cd3a31f7
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJP:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI2

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

olwzyspdoj.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	olwzyspdoj.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

olwzyspdoj.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	olwzyspdoj.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

olwzyspdoj.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	olwzyspdoj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	olwzyspdoj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	olwzyspdoj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	olwzyspdoj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	olwzyspdoj.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

olwzyspdoj.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	olwzyspdoj.exe

Executes dropped EXE 6 IoCs

Processes:

olwzyspdoj.exemdnlvjdzwnbstjm.exereswydbj.exeeogaldybvdyqs.exeeogaldybvdyqs.exereswydbj.exe

pid process

1704 olwzyspdoj.exe
1684 mdnlvjdzwnbstjm.exe
376 reswydbj.exe
1272 eogaldybvdyqs.exe
1664 eogaldybvdyqs.exe
1552 reswydbj.exe

pid	process
1704	olwzyspdoj.exe
1684	mdnlvjdzwnbstjm.exe
376	reswydbj.exe
1272	eogaldybvdyqs.exe
1664	eogaldybvdyqs.exe
1552	reswydbj.exe

UPX packed file 35 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\SysWOW64\olwzyspdoj.exe	upx
C:\Windows\SysWOW64\olwzyspdoj.exe	upx
\Windows\SysWOW64\mdnlvjdzwnbstjm.exe	upx
C:\Windows\SysWOW64\mdnlvjdzwnbstjm.exe	upx
C:\Windows\SysWOW64\mdnlvjdzwnbstjm.exe	upx
C:\Windows\SysWOW64\olwzyspdoj.exe	upx
\Windows\SysWOW64\reswydbj.exe	upx
C:\Windows\SysWOW64\reswydbj.exe	upx
C:\Windows\SysWOW64\eogaldybvdyqs.exe	upx
behavioral1/memory/1456-71-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
\Windows\SysWOW64\eogaldybvdyqs.exe	upx
behavioral1/memory/1704-78-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/376-80-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1684-79-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
C:\Windows\SysWOW64\eogaldybvdyqs.exe	upx
C:\Windows\SysWOW64\reswydbj.exe	upx
\Windows\SysWOW64\eogaldybvdyqs.exe	upx
C:\Windows\SysWOW64\eogaldybvdyqs.exe	upx
\Windows\SysWOW64\reswydbj.exe	upx
C:\Windows\SysWOW64\reswydbj.exe	upx
behavioral1/memory/1456-90-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1272-91-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1664-92-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1552-93-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
C:\Program Files\OutImport.doc.exe	upx
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	upx
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	upx
behavioral1/memory/1704-103-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1684-104-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/376-105-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1272-106-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1664-107-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1552-108-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/376-115-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1552-114-0x0000000000400000-0x00000000004A0000-memory.dmp	upx

Loads dropped DLL 6 IoCs

Processes:

6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.execmd.exeolwzyspdoj.exe

pid	process
1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
1404	cmd.exe
1704	olwzyspdoj.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

olwzyspdoj.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	olwzyspdoj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	olwzyspdoj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	olwzyspdoj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	olwzyspdoj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	olwzyspdoj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	olwzyspdoj.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mdnlvjdzwnbstjm.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avwqldaq = "mdnlvjdzwnbstjm.exe"	mdnlvjdzwnbstjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "eogaldybvdyqs.exe"	mdnlvjdzwnbstjm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	mdnlvjdzwnbstjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xxvjhtge = "olwzyspdoj.exe"	mdnlvjdzwnbstjm.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

reswydbj.exeolwzyspdoj.exereswydbj.exe

description	ioc	process
File opened (read-only)	\??\s:	reswydbj.exe
File opened (read-only)	\??\o:	olwzyspdoj.exe
File opened (read-only)	\??\a:	reswydbj.exe
File opened (read-only)	\??\h:	reswydbj.exe
File opened (read-only)	\??\t:	reswydbj.exe
File opened (read-only)	\??\n:	olwzyspdoj.exe
File opened (read-only)	\??\o:	reswydbj.exe
File opened (read-only)	\??\k:	olwzyspdoj.exe
File opened (read-only)	\??\p:	olwzyspdoj.exe
File opened (read-only)	\??\g:	reswydbj.exe
File opened (read-only)	\??\v:	reswydbj.exe
File opened (read-only)	\??\b:	reswydbj.exe
File opened (read-only)	\??\l:	reswydbj.exe
File opened (read-only)	\??\p:	reswydbj.exe
File opened (read-only)	\??\u:	reswydbj.exe
File opened (read-only)	\??\l:	olwzyspdoj.exe
File opened (read-only)	\??\r:	olwzyspdoj.exe
File opened (read-only)	\??\t:	olwzyspdoj.exe
File opened (read-only)	\??\w:	olwzyspdoj.exe
File opened (read-only)	\??\b:	reswydbj.exe
File opened (read-only)	\??\j:	reswydbj.exe
File opened (read-only)	\??\m:	reswydbj.exe
File opened (read-only)	\??\h:	reswydbj.exe
File opened (read-only)	\??\n:	reswydbj.exe
File opened (read-only)	\??\v:	reswydbj.exe
File opened (read-only)	\??\w:	reswydbj.exe
File opened (read-only)	\??\z:	reswydbj.exe
File opened (read-only)	\??\m:	olwzyspdoj.exe
File opened (read-only)	\??\x:	reswydbj.exe
File opened (read-only)	\??\u:	reswydbj.exe
File opened (read-only)	\??\e:	reswydbj.exe
File opened (read-only)	\??\i:	reswydbj.exe
File opened (read-only)	\??\q:	reswydbj.exe
File opened (read-only)	\??\r:	reswydbj.exe
File opened (read-only)	\??\a:	olwzyspdoj.exe
File opened (read-only)	\??\k:	reswydbj.exe
File opened (read-only)	\??\q:	olwzyspdoj.exe
File opened (read-only)	\??\u:	olwzyspdoj.exe
File opened (read-only)	\??\f:	reswydbj.exe
File opened (read-only)	\??\g:	reswydbj.exe
File opened (read-only)	\??\m:	reswydbj.exe
File opened (read-only)	\??\o:	reswydbj.exe
File opened (read-only)	\??\p:	reswydbj.exe
File opened (read-only)	\??\s:	reswydbj.exe
File opened (read-only)	\??\z:	reswydbj.exe
File opened (read-only)	\??\k:	reswydbj.exe
File opened (read-only)	\??\z:	olwzyspdoj.exe
File opened (read-only)	\??\i:	reswydbj.exe
File opened (read-only)	\??\b:	olwzyspdoj.exe
File opened (read-only)	\??\f:	olwzyspdoj.exe
File opened (read-only)	\??\s:	olwzyspdoj.exe
File opened (read-only)	\??\t:	reswydbj.exe
File opened (read-only)	\??\h:	olwzyspdoj.exe
File opened (read-only)	\??\x:	olwzyspdoj.exe
File opened (read-only)	\??\q:	reswydbj.exe
File opened (read-only)	\??\y:	reswydbj.exe
File opened (read-only)	\??\g:	olwzyspdoj.exe
File opened (read-only)	\??\l:	reswydbj.exe
File opened (read-only)	\??\a:	reswydbj.exe
File opened (read-only)	\??\j:	reswydbj.exe
File opened (read-only)	\??\e:	olwzyspdoj.exe
File opened (read-only)	\??\j:	olwzyspdoj.exe
File opened (read-only)	\??\v:	olwzyspdoj.exe
File opened (read-only)	\??\y:	reswydbj.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

olwzyspdoj.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	olwzyspdoj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	olwzyspdoj.exe

AutoIT Executable 16 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1456-71-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1704-78-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/376-80-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1684-79-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1456-90-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1272-91-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1664-92-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1552-93-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1704-103-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1684-104-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/376-105-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1272-106-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1664-107-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1552-108-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/376-115-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1552-114-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

Processes:

6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exeolwzyspdoj.exe

description	ioc	process
File created	C:\Windows\SysWOW64\reswydbj.exe	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	olwzyspdoj.exe
File created	C:\Windows\SysWOW64\olwzyspdoj.exe	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
File opened for modification	C:\Windows\SysWOW64\olwzyspdoj.exe	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
File created	C:\Windows\SysWOW64\mdnlvjdzwnbstjm.exe	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
File opened for modification	C:\Windows\SysWOW64\mdnlvjdzwnbstjm.exe	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
File opened for modification	C:\Windows\SysWOW64\reswydbj.exe	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
File created	C:\Windows\SysWOW64\eogaldybvdyqs.exe	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
File opened for modification	C:\Windows\SysWOW64\eogaldybvdyqs.exe	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe

Drops file in Program Files directory 22 IoCs

Processes:

reswydbj.exereswydbj.exe

description	ioc	process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	reswydbj.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	reswydbj.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	reswydbj.exe
File opened for modification	C:\Program Files\OutImport.doc.exe	reswydbj.exe
File opened for modification	C:\Program Files\OutImport.nal	reswydbj.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	reswydbj.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	reswydbj.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	reswydbj.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	reswydbj.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	reswydbj.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	reswydbj.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	reswydbj.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	reswydbj.exe
File created	\??\c:\Program Files\OutImport.doc.exe	reswydbj.exe
File opened for modification	\??\c:\Program Files\OutImport.doc.exe	reswydbj.exe
File opened for modification	\??\c:\Program Files\OutImport.doc.exe	reswydbj.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	reswydbj.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	reswydbj.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	reswydbj.exe
File opened for modification	C:\Program Files\OutImport.doc.exe	reswydbj.exe
File opened for modification	C:\Program Files\OutImport.nal	reswydbj.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	reswydbj.exe

Drops file in Windows directory 5 IoCs

Processes:

WINWORD.EXE6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe

description	ioc	process
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exeolwzyspdoj.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33372C0F9D5582556D3577D377262CDA7D8164AA"	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB8FAB0F963F195840F3B4B869F3EE2B38802FA4311023AE2CA42EA08A7"	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	olwzyspdoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	olwzyspdoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	olwzyspdoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	olwzyspdoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FF88482785699134D7587E9CBDEFE6345943664E623FD6EE"	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	olwzyspdoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1838C70C14E5DBC5B8C87CE0ED9F37C8"	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	olwzyspdoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

240 WINWORD.EXE

pid	process
240	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exemdnlvjdzwnbstjm.exeolwzyspdoj.exeeogaldybvdyqs.exereswydbj.exeeogaldybvdyqs.exereswydbj.exe

pid	process
1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
1684	mdnlvjdzwnbstjm.exe
1684	mdnlvjdzwnbstjm.exe
1684	mdnlvjdzwnbstjm.exe
1684	mdnlvjdzwnbstjm.exe
1684	mdnlvjdzwnbstjm.exe
1704	olwzyspdoj.exe
1704	olwzyspdoj.exe
1704	olwzyspdoj.exe
1704	olwzyspdoj.exe
1704	olwzyspdoj.exe
1272	eogaldybvdyqs.exe
1272	eogaldybvdyqs.exe
1272	eogaldybvdyqs.exe
1272	eogaldybvdyqs.exe
1272	eogaldybvdyqs.exe
1272	eogaldybvdyqs.exe
376	reswydbj.exe
376	reswydbj.exe
376	reswydbj.exe
376	reswydbj.exe
1664	eogaldybvdyqs.exe
1664	eogaldybvdyqs.exe
1664	eogaldybvdyqs.exe
1664	eogaldybvdyqs.exe
1664	eogaldybvdyqs.exe
1664	eogaldybvdyqs.exe
1552	reswydbj.exe
1552	reswydbj.exe
1552	reswydbj.exe
1552	reswydbj.exe
1684	mdnlvjdzwnbstjm.exe
1684	mdnlvjdzwnbstjm.exe
1272	eogaldybvdyqs.exe
1272	eogaldybvdyqs.exe
1664	eogaldybvdyqs.exe
1664	eogaldybvdyqs.exe
1684	mdnlvjdzwnbstjm.exe
1272	eogaldybvdyqs.exe
1272	eogaldybvdyqs.exe
1664	eogaldybvdyqs.exe
1664	eogaldybvdyqs.exe
1684	mdnlvjdzwnbstjm.exe
1272	eogaldybvdyqs.exe
1272	eogaldybvdyqs.exe
1664	eogaldybvdyqs.exe
1664	eogaldybvdyqs.exe
1684	mdnlvjdzwnbstjm.exe
1272	eogaldybvdyqs.exe
1272	eogaldybvdyqs.exe
1664	eogaldybvdyqs.exe
1664	eogaldybvdyqs.exe
1684	mdnlvjdzwnbstjm.exe
1272	eogaldybvdyqs.exe
1272	eogaldybvdyqs.exe
1664	eogaldybvdyqs.exe
1664	eogaldybvdyqs.exe

Suspicious use of FindShellTrayWindow 21 IoCs

Processes:

6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exeolwzyspdoj.exemdnlvjdzwnbstjm.exereswydbj.exeeogaldybvdyqs.exeeogaldybvdyqs.exereswydbj.exe

pid	process
1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
1704	olwzyspdoj.exe
1684	mdnlvjdzwnbstjm.exe
1704	olwzyspdoj.exe
1684	mdnlvjdzwnbstjm.exe
1704	olwzyspdoj.exe
1684	mdnlvjdzwnbstjm.exe
376	reswydbj.exe
376	reswydbj.exe
1272	eogaldybvdyqs.exe
376	reswydbj.exe
1272	eogaldybvdyqs.exe
1272	eogaldybvdyqs.exe
1664	eogaldybvdyqs.exe
1664	eogaldybvdyqs.exe
1664	eogaldybvdyqs.exe
1552	reswydbj.exe
1552	reswydbj.exe
1552	reswydbj.exe

Suspicious use of SendNotifyMessage 21 IoCs

Processes:

6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exeolwzyspdoj.exemdnlvjdzwnbstjm.exereswydbj.exeeogaldybvdyqs.exeeogaldybvdyqs.exereswydbj.exe

pid	process
1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
1704	olwzyspdoj.exe
1684	mdnlvjdzwnbstjm.exe
1704	olwzyspdoj.exe
1684	mdnlvjdzwnbstjm.exe
1704	olwzyspdoj.exe
1684	mdnlvjdzwnbstjm.exe
376	reswydbj.exe
376	reswydbj.exe
1272	eogaldybvdyqs.exe
376	reswydbj.exe
1272	eogaldybvdyqs.exe
1272	eogaldybvdyqs.exe
1664	eogaldybvdyqs.exe
1664	eogaldybvdyqs.exe
1664	eogaldybvdyqs.exe
1552	reswydbj.exe
1552	reswydbj.exe
1552	reswydbj.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

240 WINWORD.EXE
240 WINWORD.EXE

pid	process
240	WINWORD.EXE
240	WINWORD.EXE

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exemdnlvjdzwnbstjm.execmd.exeolwzyspdoj.exeWINWORD.EXE

description	pid	process	target process
PID 1456 wrote to memory of 1704	1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe	olwzyspdoj.exe
PID 1456 wrote to memory of 1704	1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe	olwzyspdoj.exe
PID 1456 wrote to memory of 1704	1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe	olwzyspdoj.exe
PID 1456 wrote to memory of 1704	1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe	olwzyspdoj.exe
PID 1456 wrote to memory of 1684	1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe	mdnlvjdzwnbstjm.exe
PID 1456 wrote to memory of 1684	1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe	mdnlvjdzwnbstjm.exe
PID 1456 wrote to memory of 1684	1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe	mdnlvjdzwnbstjm.exe
PID 1456 wrote to memory of 1684	1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe	mdnlvjdzwnbstjm.exe
PID 1456 wrote to memory of 376	1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe	reswydbj.exe
PID 1456 wrote to memory of 376	1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe	reswydbj.exe
PID 1456 wrote to memory of 376	1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe	reswydbj.exe
PID 1456 wrote to memory of 376	1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe	reswydbj.exe
PID 1456 wrote to memory of 1272	1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe	eogaldybvdyqs.exe
PID 1456 wrote to memory of 1272	1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe	eogaldybvdyqs.exe
PID 1456 wrote to memory of 1272	1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe	eogaldybvdyqs.exe
PID 1456 wrote to memory of 1272	1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe	eogaldybvdyqs.exe
PID 1684 wrote to memory of 1404	1684	mdnlvjdzwnbstjm.exe	cmd.exe
PID 1684 wrote to memory of 1404	1684	mdnlvjdzwnbstjm.exe	cmd.exe
PID 1684 wrote to memory of 1404	1684	mdnlvjdzwnbstjm.exe	cmd.exe
PID 1684 wrote to memory of 1404	1684	mdnlvjdzwnbstjm.exe	cmd.exe
PID 1404 wrote to memory of 1664	1404	cmd.exe	eogaldybvdyqs.exe
PID 1404 wrote to memory of 1664	1404	cmd.exe	eogaldybvdyqs.exe
PID 1404 wrote to memory of 1664	1404	cmd.exe	eogaldybvdyqs.exe
PID 1404 wrote to memory of 1664	1404	cmd.exe	eogaldybvdyqs.exe
PID 1704 wrote to memory of 1552	1704	olwzyspdoj.exe	reswydbj.exe
PID 1704 wrote to memory of 1552	1704	olwzyspdoj.exe	reswydbj.exe
PID 1704 wrote to memory of 1552	1704	olwzyspdoj.exe	reswydbj.exe
PID 1704 wrote to memory of 1552	1704	olwzyspdoj.exe	reswydbj.exe
PID 1456 wrote to memory of 240	1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe	WINWORD.EXE
PID 1456 wrote to memory of 240	1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe	WINWORD.EXE
PID 1456 wrote to memory of 240	1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe	WINWORD.EXE
PID 1456 wrote to memory of 240	1456	6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe	WINWORD.EXE
PID 240 wrote to memory of 916	240	WINWORD.EXE	splwow64.exe
PID 240 wrote to memory of 916	240	WINWORD.EXE	splwow64.exe
PID 240 wrote to memory of 916	240	WINWORD.EXE	splwow64.exe
PID 240 wrote to memory of 916	240	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
"C:\Users\Admin\AppData\Local\Temp\6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\olwzyspdoj.exe
olwzyspdoj.exe
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\reswydbj.exe
C:\Windows\system32\reswydbj.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1552

C:\Windows\SysWOW64\mdnlvjdzwnbstjm.exe
mdnlvjdzwnbstjm.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c eogaldybvdyqs.exe
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\eogaldybvdyqs.exe
eogaldybvdyqs.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1664

C:\Windows\SysWOW64\reswydbj.exe
reswydbj.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:376

C:\Windows\SysWOW64\eogaldybvdyqs.exe
eogaldybvdyqs.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1272

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:916

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
Filesize
255KB

MD5
076068d2bbbf3f00bbbc83d58a259490

SHA1
8c73941faaf42ff325f694c91c9d75e93e2ec5a4

SHA256
9a1f131a1792cc08f169a560aecd4db3a30b45770c33a49fc80f060a02ccf751

SHA512
4226d6c02915b8a2b98cacf91358f8a3687790ec9df2513af9e928240b609d3217957f84c22146ca5b6bdbadfc8a1478c68f6d4f9248caec4237642f7f104efa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
Filesize
255KB

MD5
d8e874652f6ff14485aee42aebb39618

SHA1
25f30c368b5e1edfb0be60fb4b484ced137cd44d

SHA256
36507d1511dd5fe7342b41b8f77ccd52b00e585a1992d6030c81a399ebe8bd26

SHA512
34a7a9d96fffacbeebcf7f87a971c3276f705034d38351ef82f2592cf1c9f9bd05347a8480afe11b6f6fe603b57e39b63beb923599a204a75b921b084ec798df

Download Submit
C:\Program Files\OutImport.doc.exe
Filesize
255KB

MD5
e30ffea39f1a1a55d13b459441097902

SHA1
2830a454d066841ee07bb3448c5a5e36ff4f3f0f

SHA256
7bbeba028e94c3cd139d3122bf5eaab2d1bc3f0b20bf92e668fcc548e03318cd

SHA512
d083cd9464afeb4b0b442727c80fc0f914f0f802ca42689c0123d96821bbcd3e57a98ba10665fd5db01b97f32a7e454b7db03f98dc77885c8fc7f798dfd4a101

Download Submit
C:\Windows\SysWOW64\eogaldybvdyqs.exe
Filesize
255KB

MD5
f8bfcfb1e238310b69b6eae0e7dc089c

SHA1
1b8bc1110194be2808cab82e4b063a5a01219d73

SHA256
f4bec6e81a919f1608ee32e3df830a0756381a303e742cac4b0d31d38015b149

SHA512
e604c956860d3988e45e298d84c6b94a04a02080c237a66fe0a005afca4d2fe4fafa96331800605a5455ca4936744d35edfd00268290781d97bd404e0739801f

Download Submit
C:\Windows\SysWOW64\eogaldybvdyqs.exe
Filesize
255KB

MD5
f8bfcfb1e238310b69b6eae0e7dc089c

SHA1
1b8bc1110194be2808cab82e4b063a5a01219d73

SHA256
f4bec6e81a919f1608ee32e3df830a0756381a303e742cac4b0d31d38015b149

SHA512
e604c956860d3988e45e298d84c6b94a04a02080c237a66fe0a005afca4d2fe4fafa96331800605a5455ca4936744d35edfd00268290781d97bd404e0739801f

Download Submit
C:\Windows\SysWOW64\eogaldybvdyqs.exe
Filesize
255KB

MD5
f8bfcfb1e238310b69b6eae0e7dc089c

SHA1
1b8bc1110194be2808cab82e4b063a5a01219d73

SHA256
f4bec6e81a919f1608ee32e3df830a0756381a303e742cac4b0d31d38015b149

SHA512
e604c956860d3988e45e298d84c6b94a04a02080c237a66fe0a005afca4d2fe4fafa96331800605a5455ca4936744d35edfd00268290781d97bd404e0739801f

Download Submit
C:\Windows\SysWOW64\mdnlvjdzwnbstjm.exe
Filesize
255KB

MD5
b92da99aaf68dd7c8acea2bc2d233514

SHA1
5a60d607e387cb8c40b2495602a1e94085491457

SHA256
cf93fa7bb6b340660460d33d03cb9f8a122181c25ffb142ab24dcc62ed394baf

SHA512
6bf2a106005f904aacf506f007d3e4d72b62ba3a5ef7e422352e3fa132c42953773101698cb00067d43c1121add27944a670d7f0cff02fe1c95a1109facf7565

Download Submit
C:\Windows\SysWOW64\mdnlvjdzwnbstjm.exe
Filesize
255KB

MD5
b92da99aaf68dd7c8acea2bc2d233514

SHA1
5a60d607e387cb8c40b2495602a1e94085491457

SHA256
cf93fa7bb6b340660460d33d03cb9f8a122181c25ffb142ab24dcc62ed394baf

SHA512
6bf2a106005f904aacf506f007d3e4d72b62ba3a5ef7e422352e3fa132c42953773101698cb00067d43c1121add27944a670d7f0cff02fe1c95a1109facf7565

Download Submit
C:\Windows\SysWOW64\olwzyspdoj.exe
Filesize
255KB

MD5
265b424358742b4987555f10e67555d3

SHA1
0abfd7a117dd2c246c5dde617661904add53fc64

SHA256
2886e77d5bb47900d2a3430937fc739f984a3fd7f9c78272df4bf07594048f81

SHA512
0b560d26bbad2d9a7f8954457c7a77d9c39b0fbe9924c3f7a19ef8487dce804021b0bb5b25ca05a30891da9221a4d9e149f09473e3c8309c89a99d04f66f5662

Download Submit
C:\Windows\SysWOW64\olwzyspdoj.exe
Filesize
255KB

MD5
265b424358742b4987555f10e67555d3

SHA1
0abfd7a117dd2c246c5dde617661904add53fc64

SHA256
2886e77d5bb47900d2a3430937fc739f984a3fd7f9c78272df4bf07594048f81

SHA512
0b560d26bbad2d9a7f8954457c7a77d9c39b0fbe9924c3f7a19ef8487dce804021b0bb5b25ca05a30891da9221a4d9e149f09473e3c8309c89a99d04f66f5662

Download Submit
C:\Windows\SysWOW64\reswydbj.exe
Filesize
255KB

MD5
fdcaf07284ea5615bc9d3e14281e5b98

SHA1
206d457e9ac36cfb3e5a33093353db338febaa9a

SHA256
c60d6195d145b8500c1fa4ecf08a2e07705442d1e8da01715fdad608e788b99e

SHA512
f08382d2afba882f59535a259c8483f623b7dd3e6a34b5a36fd29521e59127d4c003e86ebfbb88c2e743cdeb907f885ca8d41b6de62ea8516f40816070c68eb1

Download Submit
C:\Windows\SysWOW64\reswydbj.exe
Filesize
255KB

MD5
fdcaf07284ea5615bc9d3e14281e5b98

SHA1
206d457e9ac36cfb3e5a33093353db338febaa9a

SHA256
c60d6195d145b8500c1fa4ecf08a2e07705442d1e8da01715fdad608e788b99e

SHA512
f08382d2afba882f59535a259c8483f623b7dd3e6a34b5a36fd29521e59127d4c003e86ebfbb88c2e743cdeb907f885ca8d41b6de62ea8516f40816070c68eb1

Download Submit
C:\Windows\SysWOW64\reswydbj.exe
Filesize
255KB

MD5
fdcaf07284ea5615bc9d3e14281e5b98

SHA1
206d457e9ac36cfb3e5a33093353db338febaa9a

SHA256
c60d6195d145b8500c1fa4ecf08a2e07705442d1e8da01715fdad608e788b99e

SHA512
f08382d2afba882f59535a259c8483f623b7dd3e6a34b5a36fd29521e59127d4c003e86ebfbb88c2e743cdeb907f885ca8d41b6de62ea8516f40816070c68eb1

Download Submit
C:\Windows\mydoc.rtf
Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\eogaldybvdyqs.exe
Filesize
255KB

MD5
f8bfcfb1e238310b69b6eae0e7dc089c

SHA1
1b8bc1110194be2808cab82e4b063a5a01219d73

SHA256
f4bec6e81a919f1608ee32e3df830a0756381a303e742cac4b0d31d38015b149

SHA512
e604c956860d3988e45e298d84c6b94a04a02080c237a66fe0a005afca4d2fe4fafa96331800605a5455ca4936744d35edfd00268290781d97bd404e0739801f

Download Submit
\Windows\SysWOW64\eogaldybvdyqs.exe
Filesize
255KB

MD5
f8bfcfb1e238310b69b6eae0e7dc089c

SHA1
1b8bc1110194be2808cab82e4b063a5a01219d73

SHA256
f4bec6e81a919f1608ee32e3df830a0756381a303e742cac4b0d31d38015b149

SHA512
e604c956860d3988e45e298d84c6b94a04a02080c237a66fe0a005afca4d2fe4fafa96331800605a5455ca4936744d35edfd00268290781d97bd404e0739801f

Download Submit
\Windows\SysWOW64\mdnlvjdzwnbstjm.exe
Filesize
255KB

MD5
b92da99aaf68dd7c8acea2bc2d233514

SHA1
5a60d607e387cb8c40b2495602a1e94085491457

SHA256
cf93fa7bb6b340660460d33d03cb9f8a122181c25ffb142ab24dcc62ed394baf

SHA512
6bf2a106005f904aacf506f007d3e4d72b62ba3a5ef7e422352e3fa132c42953773101698cb00067d43c1121add27944a670d7f0cff02fe1c95a1109facf7565

Download Submit
\Windows\SysWOW64\olwzyspdoj.exe
Filesize
255KB

MD5
265b424358742b4987555f10e67555d3

SHA1
0abfd7a117dd2c246c5dde617661904add53fc64

SHA256
2886e77d5bb47900d2a3430937fc739f984a3fd7f9c78272df4bf07594048f81

SHA512
0b560d26bbad2d9a7f8954457c7a77d9c39b0fbe9924c3f7a19ef8487dce804021b0bb5b25ca05a30891da9221a4d9e149f09473e3c8309c89a99d04f66f5662

Download Submit
\Windows\SysWOW64\reswydbj.exe
Filesize
255KB

MD5
fdcaf07284ea5615bc9d3e14281e5b98

SHA1
206d457e9ac36cfb3e5a33093353db338febaa9a

SHA256
c60d6195d145b8500c1fa4ecf08a2e07705442d1e8da01715fdad608e788b99e

SHA512
f08382d2afba882f59535a259c8483f623b7dd3e6a34b5a36fd29521e59127d4c003e86ebfbb88c2e743cdeb907f885ca8d41b6de62ea8516f40816070c68eb1

Download Submit
\Windows\SysWOW64\reswydbj.exe
Filesize
255KB

MD5
fdcaf07284ea5615bc9d3e14281e5b98

SHA1
206d457e9ac36cfb3e5a33093353db338febaa9a

SHA256
c60d6195d145b8500c1fa4ecf08a2e07705442d1e8da01715fdad608e788b99e

SHA512
f08382d2afba882f59535a259c8483f623b7dd3e6a34b5a36fd29521e59127d4c003e86ebfbb88c2e743cdeb907f885ca8d41b6de62ea8516f40816070c68eb1

Download Submit
memory/240-113-0x0000000070B6D000-0x0000000070B78000-memory.dmp

Filesize
44KB

Download
memory/240-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/240-95-0x000000006FB81000-0x000000006FB83000-memory.dmp

Filesize
8KB

Download
memory/240-89-0x0000000000000000-mapping.dmp

Download
memory/240-112-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/240-97-0x0000000070B6D000-0x0000000070B78000-memory.dmp

Filesize
44KB

Download
memory/240-109-0x0000000070B6D000-0x0000000070B78000-memory.dmp

Filesize
44KB

Download
memory/240-94-0x0000000072101000-0x0000000072104000-memory.dmp

Filesize
12KB

Download
memory/376-66-0x0000000000000000-mapping.dmp

Download
memory/376-105-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/376-115-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/376-80-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/916-110-0x0000000000000000-mapping.dmp

Download
memory/916-111-0x000007FEFB5E1000-0x000007FEFB5E3000-memory.dmp

Filesize
8KB

Download
memory/1272-91-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1272-106-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1272-70-0x0000000000000000-mapping.dmp

Download
memory/1404-75-0x0000000000000000-mapping.dmp

Download
memory/1456-71-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1456-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1456-90-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1456-74-0x0000000003340000-0x00000000033E0000-memory.dmp

Filesize
640KB

Download
memory/1552-93-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1552-108-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1552-86-0x0000000000000000-mapping.dmp

Download
memory/1552-114-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1664-107-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1664-92-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1664-82-0x0000000000000000-mapping.dmp

Download
memory/1684-104-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1684-60-0x0000000000000000-mapping.dmp

Download
memory/1684-79-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1704-103-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1704-56-0x0000000000000000-mapping.dmp

Download
memory/1704-78-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads