Analysis
-
max time kernel
150s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 06:53
Behavioral task
behavioral1
Sample
bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
Resource
win10v2004-20220812-en
General
-
Target
bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
-
Size
42KB
-
MD5
a4ffa86f2f2bd79d6620f3762f3717dc
-
SHA1
c91221cd293a2e13b592150006e4c395c8439333
-
SHA256
bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc
-
SHA512
632d5c3398da059336d51f83c5335a26858eee255f5d29067ec5f86f3ef345f1ed467cdf6e09c98b474f199122e1046765df606f8b0cbe0ede77290bff41eaa4
-
SSDEEP
768:gyz0/XBwayCUOwV3TNZHdrPeqzEWvpbPwSMX6+w6pqZxLdeVgol9D8888888888x:hzOCay4wV339rPjzbpLwRJ9pSdoIE
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
Processes:
CTFMON.EXESPOOLSV.EXESVCHOST.EXEbac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" CTFMON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" CTFMON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
Processes:
SVCHOST.EXEbac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exeCTFMON.EXESPOOLSV.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" CTFMON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SPOOLSV.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
Processes:
CTFMON.EXESPOOLSV.EXESVCHOST.EXEbac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" CTFMON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe -
Processes:
resource yara_rule \Recycled\SVCHOST.EXE aspack_v212_v242 \Recycled\SVCHOST.EXE aspack_v212_v242 C:\Recycled\SVCHOST.EXE aspack_v212_v242 C:\Recycled\SVCHOST.EXE aspack_v212_v242 C:\Windows\Fonts\ Explorer.exe aspack_v212_v242 C:\recycled\SVCHOST.exe aspack_v212_v242 \Recycled\SPOOLSV.EXE aspack_v212_v242 C:\recycled\SPOOLSV.EXE aspack_v212_v242 \Recycled\SPOOLSV.EXE aspack_v212_v242 C:\Recycled\SPOOLSV.EXE aspack_v212_v242 C:\Windows\Fonts\ Explorer.exe aspack_v212_v242 \Recycled\SVCHOST.EXE aspack_v212_v242 C:\Recycled\SVCHOST.EXE aspack_v212_v242 \Recycled\SPOOLSV.EXE aspack_v212_v242 C:\Recycled\SPOOLSV.EXE aspack_v212_v242 C:\recycled\CTFMON.EXE aspack_v212_v242 \Recycled\CTFMON.EXE aspack_v212_v242 \Recycled\CTFMON.EXE aspack_v212_v242 C:\Recycled\CTFMON.EXE aspack_v212_v242 \Recycled\SVCHOST.EXE aspack_v212_v242 C:\Recycled\SVCHOST.EXE aspack_v212_v242 C:\Windows\Fonts\ Explorer.exe aspack_v212_v242 \Recycled\SPOOLSV.EXE aspack_v212_v242 \Recycled\SPOOLSV.EXE aspack_v212_v242 C:\Recycled\SPOOLSV.EXE aspack_v212_v242 C:\Recycled\CTFMON.EXE aspack_v212_v242 \Recycled\CTFMON.EXE aspack_v212_v242 C:\Recycled\CTFMON.EXE aspack_v212_v242 \Recycled\SPOOLSV.EXE aspack_v212_v242 \Recycled\SPOOLSV.EXE aspack_v212_v242 C:\Recycled\SPOOLSV.EXE aspack_v212_v242 \Recycled\CTFMON.EXE aspack_v212_v242 C:\Recycled\CTFMON.EXE aspack_v212_v242 behavioral1/memory/944-148-0x0000000001D40000-0x0000000001D5A000-memory.dmp aspack_v212_v242 -
Executes dropped EXE 12 IoCs
Processes:
SVCHOST.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXECTFMON.EXESPOOLSV.EXECTFMON.EXEpid process 944 SVCHOST.EXE 2040 SVCHOST.EXE 2000 SPOOLSV.EXE 1692 SVCHOST.EXE 1716 SPOOLSV.EXE 776 CTFMON.EXE 1652 SVCHOST.EXE 1204 SPOOLSV.EXE 584 CTFMON.EXE 1104 CTFMON.EXE 1140 SPOOLSV.EXE 1940 CTFMON.EXE -
Loads dropped DLL 15 IoCs
Processes:
bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exeSVCHOST.EXESPOOLSV.EXECTFMON.EXEpid process 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 944 SVCHOST.EXE 944 SVCHOST.EXE 2000 SPOOLSV.EXE 2000 SPOOLSV.EXE 2000 SPOOLSV.EXE 2000 SPOOLSV.EXE 776 CTFMON.EXE 776 CTFMON.EXE 776 CTFMON.EXE 944 SVCHOST.EXE 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exedescription ioc process File opened for modification C:\Recycled\desktop.ini bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
SVCHOST.EXECTFMON.EXEbac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exeSPOOLSV.EXEdescription ioc process File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\E: CTFMON.EXE File opened (read-only) \??\P: SVCHOST.EXE File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\K: CTFMON.EXE File opened (read-only) \??\N: CTFMON.EXE File opened (read-only) \??\G: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\P: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\X: SPOOLSV.EXE File opened (read-only) \??\V: CTFMON.EXE File opened (read-only) \??\W: CTFMON.EXE File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\W: SPOOLSV.EXE File opened (read-only) \??\Q: CTFMON.EXE File opened (read-only) \??\R: CTFMON.EXE File opened (read-only) \??\H: CTFMON.EXE File opened (read-only) \??\L: CTFMON.EXE File opened (read-only) \??\M: CTFMON.EXE File opened (read-only) \??\Y: CTFMON.EXE File opened (read-only) \??\E: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\Q: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\P: SPOOLSV.EXE File opened (read-only) \??\S: CTFMON.EXE File opened (read-only) \??\H: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\M: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\O: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\K: SPOOLSV.EXE File opened (read-only) \??\N: SPOOLSV.EXE File opened (read-only) \??\I: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\L: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\U: CTFMON.EXE File opened (read-only) \??\T: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\Z: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\G: SPOOLSV.EXE File opened (read-only) \??\V: SPOOLSV.EXE File opened (read-only) \??\U: SPOOLSV.EXE File opened (read-only) \??\P: CTFMON.EXE File opened (read-only) \??\W: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\Y: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\M: SPOOLSV.EXE File opened (read-only) \??\R: SPOOLSV.EXE File opened (read-only) \??\Q: SPOOLSV.EXE File opened (read-only) \??\Z: SPOOLSV.EXE File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\S: SVCHOST.EXE File opened (read-only) \??\F: SPOOLSV.EXE File opened (read-only) \??\I: SPOOLSV.EXE File opened (read-only) \??\S: SPOOLSV.EXE File opened (read-only) \??\R: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\F: SVCHOST.EXE File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\J: CTFMON.EXE File opened (read-only) \??\U: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\Y: SVCHOST.EXE -
Drops file in Windows directory 6 IoCs
Processes:
bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exeSVCHOST.EXESPOOLSV.EXECTFMON.EXEWINWORD.EXEdescription ioc process File opened for modification C:\Windows\Fonts\ Explorer.exe bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened for modification C:\Windows\Fonts\ Explorer.exe SVCHOST.EXE File opened for modification C:\Windows\Fonts\ Explorer.exe SPOOLSV.EXE File opened for modification C:\Windows\Fonts\ Explorer.exe CTFMON.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEbac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exeSVCHOST.EXECTFMON.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size" CTFMON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size" CTFMON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" CTFMON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe" CTFMON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe" bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1004 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
SPOOLSV.EXESVCHOST.EXECTFMON.EXEbac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exepid process 2000 SPOOLSV.EXE 2000 SPOOLSV.EXE 2000 SPOOLSV.EXE 2000 SPOOLSV.EXE 2000 SPOOLSV.EXE 2000 SPOOLSV.EXE 2000 SPOOLSV.EXE 2000 SPOOLSV.EXE 944 SVCHOST.EXE 944 SVCHOST.EXE 944 SVCHOST.EXE 944 SVCHOST.EXE 944 SVCHOST.EXE 944 SVCHOST.EXE 944 SVCHOST.EXE 944 SVCHOST.EXE 776 CTFMON.EXE 776 CTFMON.EXE 776 CTFMON.EXE 776 CTFMON.EXE 776 CTFMON.EXE 776 CTFMON.EXE 776 CTFMON.EXE 776 CTFMON.EXE 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 776 CTFMON.EXE 776 CTFMON.EXE 944 SVCHOST.EXE 944 SVCHOST.EXE 2000 SPOOLSV.EXE 2000 SPOOLSV.EXE 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 944 SVCHOST.EXE 944 SVCHOST.EXE 2000 SPOOLSV.EXE 2000 SPOOLSV.EXE 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 944 SVCHOST.EXE 944 SVCHOST.EXE 2000 SPOOLSV.EXE 2000 SPOOLSV.EXE 944 SVCHOST.EXE 944 SVCHOST.EXE 776 CTFMON.EXE 2000 SPOOLSV.EXE 2000 SPOOLSV.EXE 776 CTFMON.EXE 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 776 CTFMON.EXE 776 CTFMON.EXE 776 CTFMON.EXE 776 CTFMON.EXE -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exeSVCHOST.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXECTFMON.EXESPOOLSV.EXECTFMON.EXEWINWORD.EXEpid process 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 944 SVCHOST.EXE 2040 SVCHOST.EXE 2000 SPOOLSV.EXE 1692 SVCHOST.EXE 1716 SPOOLSV.EXE 776 CTFMON.EXE 1652 SVCHOST.EXE 1204 SPOOLSV.EXE 584 CTFMON.EXE 1104 CTFMON.EXE 1140 SPOOLSV.EXE 1940 CTFMON.EXE 1004 WINWORD.EXE 1004 WINWORD.EXE -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exeSVCHOST.EXESPOOLSV.EXECTFMON.EXEdescription pid process target process PID 1664 wrote to memory of 944 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe SVCHOST.EXE PID 1664 wrote to memory of 944 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe SVCHOST.EXE PID 1664 wrote to memory of 944 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe SVCHOST.EXE PID 1664 wrote to memory of 944 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe SVCHOST.EXE PID 944 wrote to memory of 2040 944 SVCHOST.EXE SVCHOST.EXE PID 944 wrote to memory of 2040 944 SVCHOST.EXE SVCHOST.EXE PID 944 wrote to memory of 2040 944 SVCHOST.EXE SVCHOST.EXE PID 944 wrote to memory of 2040 944 SVCHOST.EXE SVCHOST.EXE PID 944 wrote to memory of 2000 944 SVCHOST.EXE SPOOLSV.EXE PID 944 wrote to memory of 2000 944 SVCHOST.EXE SPOOLSV.EXE PID 944 wrote to memory of 2000 944 SVCHOST.EXE SPOOLSV.EXE PID 944 wrote to memory of 2000 944 SVCHOST.EXE SPOOLSV.EXE PID 2000 wrote to memory of 1692 2000 SPOOLSV.EXE SVCHOST.EXE PID 2000 wrote to memory of 1692 2000 SPOOLSV.EXE SVCHOST.EXE PID 2000 wrote to memory of 1692 2000 SPOOLSV.EXE SVCHOST.EXE PID 2000 wrote to memory of 1692 2000 SPOOLSV.EXE SVCHOST.EXE PID 2000 wrote to memory of 1716 2000 SPOOLSV.EXE SPOOLSV.EXE PID 2000 wrote to memory of 1716 2000 SPOOLSV.EXE SPOOLSV.EXE PID 2000 wrote to memory of 1716 2000 SPOOLSV.EXE SPOOLSV.EXE PID 2000 wrote to memory of 1716 2000 SPOOLSV.EXE SPOOLSV.EXE PID 2000 wrote to memory of 776 2000 SPOOLSV.EXE CTFMON.EXE PID 2000 wrote to memory of 776 2000 SPOOLSV.EXE CTFMON.EXE PID 2000 wrote to memory of 776 2000 SPOOLSV.EXE CTFMON.EXE PID 2000 wrote to memory of 776 2000 SPOOLSV.EXE CTFMON.EXE PID 776 wrote to memory of 1652 776 CTFMON.EXE SVCHOST.EXE PID 776 wrote to memory of 1652 776 CTFMON.EXE SVCHOST.EXE PID 776 wrote to memory of 1652 776 CTFMON.EXE SVCHOST.EXE PID 776 wrote to memory of 1652 776 CTFMON.EXE SVCHOST.EXE PID 776 wrote to memory of 1204 776 CTFMON.EXE SPOOLSV.EXE PID 776 wrote to memory of 1204 776 CTFMON.EXE SPOOLSV.EXE PID 776 wrote to memory of 1204 776 CTFMON.EXE SPOOLSV.EXE PID 776 wrote to memory of 1204 776 CTFMON.EXE SPOOLSV.EXE PID 776 wrote to memory of 584 776 CTFMON.EXE CTFMON.EXE PID 776 wrote to memory of 584 776 CTFMON.EXE CTFMON.EXE PID 776 wrote to memory of 584 776 CTFMON.EXE CTFMON.EXE PID 776 wrote to memory of 584 776 CTFMON.EXE CTFMON.EXE PID 944 wrote to memory of 1104 944 SVCHOST.EXE CTFMON.EXE PID 944 wrote to memory of 1104 944 SVCHOST.EXE CTFMON.EXE PID 944 wrote to memory of 1104 944 SVCHOST.EXE CTFMON.EXE PID 944 wrote to memory of 1104 944 SVCHOST.EXE CTFMON.EXE PID 1664 wrote to memory of 1140 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe SPOOLSV.EXE PID 1664 wrote to memory of 1140 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe SPOOLSV.EXE PID 1664 wrote to memory of 1140 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe SPOOLSV.EXE PID 1664 wrote to memory of 1140 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe SPOOLSV.EXE PID 1664 wrote to memory of 1940 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe CTFMON.EXE PID 1664 wrote to memory of 1940 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe CTFMON.EXE PID 1664 wrote to memory of 1940 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe CTFMON.EXE PID 1664 wrote to memory of 1940 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe CTFMON.EXE PID 1664 wrote to memory of 1004 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe WINWORD.EXE PID 1664 wrote to memory of 1004 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe WINWORD.EXE PID 1664 wrote to memory of 1004 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe WINWORD.EXE PID 1664 wrote to memory of 1004 1664 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe"C:\Users\Admin\AppData\Local\Temp\bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.doc"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recycled\CTFMON.EXEFilesize
42KB
MD547df2d3fc9e9686363eab759ad1d2e67
SHA1e227787b3c651332708700ca0c0745fd4e3e4da2
SHA2562f6817a7e6317c9a08c02c415c39e46c3be31d923178438b139dd72437273c46
SHA512af688a1878d960e2c3c9b9b3909e3ea57083b2e2f0829cb20ed342c8484f8e39ca06b38633055a67fde2ae3a1b571da5251e5e0a1fa766d6e571d65a0c89bc59
-
C:\Recycled\CTFMON.EXEFilesize
42KB
MD547df2d3fc9e9686363eab759ad1d2e67
SHA1e227787b3c651332708700ca0c0745fd4e3e4da2
SHA2562f6817a7e6317c9a08c02c415c39e46c3be31d923178438b139dd72437273c46
SHA512af688a1878d960e2c3c9b9b3909e3ea57083b2e2f0829cb20ed342c8484f8e39ca06b38633055a67fde2ae3a1b571da5251e5e0a1fa766d6e571d65a0c89bc59
-
C:\Recycled\CTFMON.EXEFilesize
42KB
MD547df2d3fc9e9686363eab759ad1d2e67
SHA1e227787b3c651332708700ca0c0745fd4e3e4da2
SHA2562f6817a7e6317c9a08c02c415c39e46c3be31d923178438b139dd72437273c46
SHA512af688a1878d960e2c3c9b9b3909e3ea57083b2e2f0829cb20ed342c8484f8e39ca06b38633055a67fde2ae3a1b571da5251e5e0a1fa766d6e571d65a0c89bc59
-
C:\Recycled\CTFMON.EXEFilesize
42KB
MD547df2d3fc9e9686363eab759ad1d2e67
SHA1e227787b3c651332708700ca0c0745fd4e3e4da2
SHA2562f6817a7e6317c9a08c02c415c39e46c3be31d923178438b139dd72437273c46
SHA512af688a1878d960e2c3c9b9b3909e3ea57083b2e2f0829cb20ed342c8484f8e39ca06b38633055a67fde2ae3a1b571da5251e5e0a1fa766d6e571d65a0c89bc59
-
C:\Recycled\SPOOLSV.EXEFilesize
42KB
MD5e0fbfa11e574b987fb744dfb4bfbf2f8
SHA1fd2064fde24f057c0be3ef45f22979b78f9a57cb
SHA256c7f01822e5878fca0e0b9eaf0428a88b6791004abe780a2e954ecbf682ac3ce7
SHA5127ad9f8b241f29e41f710bb6dea84f29f568d3aa5b79eba6c3aeba6eb549d0bbf37c33c508de3c7fba794f2802454e64b1e5d486cd768e0ca78817fc23f675208
-
C:\Recycled\SPOOLSV.EXEFilesize
42KB
MD5e0fbfa11e574b987fb744dfb4bfbf2f8
SHA1fd2064fde24f057c0be3ef45f22979b78f9a57cb
SHA256c7f01822e5878fca0e0b9eaf0428a88b6791004abe780a2e954ecbf682ac3ce7
SHA5127ad9f8b241f29e41f710bb6dea84f29f568d3aa5b79eba6c3aeba6eb549d0bbf37c33c508de3c7fba794f2802454e64b1e5d486cd768e0ca78817fc23f675208
-
C:\Recycled\SPOOLSV.EXEFilesize
42KB
MD5e0fbfa11e574b987fb744dfb4bfbf2f8
SHA1fd2064fde24f057c0be3ef45f22979b78f9a57cb
SHA256c7f01822e5878fca0e0b9eaf0428a88b6791004abe780a2e954ecbf682ac3ce7
SHA5127ad9f8b241f29e41f710bb6dea84f29f568d3aa5b79eba6c3aeba6eb549d0bbf37c33c508de3c7fba794f2802454e64b1e5d486cd768e0ca78817fc23f675208
-
C:\Recycled\SPOOLSV.EXEFilesize
42KB
MD5e0fbfa11e574b987fb744dfb4bfbf2f8
SHA1fd2064fde24f057c0be3ef45f22979b78f9a57cb
SHA256c7f01822e5878fca0e0b9eaf0428a88b6791004abe780a2e954ecbf682ac3ce7
SHA5127ad9f8b241f29e41f710bb6dea84f29f568d3aa5b79eba6c3aeba6eb549d0bbf37c33c508de3c7fba794f2802454e64b1e5d486cd768e0ca78817fc23f675208
-
C:\Recycled\SVCHOST.EXEFilesize
42KB
MD505cd6d4df6667e481e4dc7f0f7a7d45d
SHA194692122e37ba21bd78659e5ed50748a5577c3e7
SHA256e20e2361507134f772fee97d25db1d791c10c7408fb475cb74b007448fa4a069
SHA512216db3f0316d2cabf1c600cae704301c9501bffed1a4868c0c8b089ea9fedf4b4a5fcd875e0299ab83bc504907252cf9d9973320ba5394d19c13517bee772093
-
C:\Recycled\SVCHOST.EXEFilesize
42KB
MD505cd6d4df6667e481e4dc7f0f7a7d45d
SHA194692122e37ba21bd78659e5ed50748a5577c3e7
SHA256e20e2361507134f772fee97d25db1d791c10c7408fb475cb74b007448fa4a069
SHA512216db3f0316d2cabf1c600cae704301c9501bffed1a4868c0c8b089ea9fedf4b4a5fcd875e0299ab83bc504907252cf9d9973320ba5394d19c13517bee772093
-
C:\Recycled\SVCHOST.EXEFilesize
42KB
MD505cd6d4df6667e481e4dc7f0f7a7d45d
SHA194692122e37ba21bd78659e5ed50748a5577c3e7
SHA256e20e2361507134f772fee97d25db1d791c10c7408fb475cb74b007448fa4a069
SHA512216db3f0316d2cabf1c600cae704301c9501bffed1a4868c0c8b089ea9fedf4b4a5fcd875e0299ab83bc504907252cf9d9973320ba5394d19c13517bee772093
-
C:\Recycled\SVCHOST.EXEFilesize
42KB
MD505cd6d4df6667e481e4dc7f0f7a7d45d
SHA194692122e37ba21bd78659e5ed50748a5577c3e7
SHA256e20e2361507134f772fee97d25db1d791c10c7408fb475cb74b007448fa4a069
SHA512216db3f0316d2cabf1c600cae704301c9501bffed1a4868c0c8b089ea9fedf4b4a5fcd875e0299ab83bc504907252cf9d9973320ba5394d19c13517bee772093
-
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txtFilesize
2KB
MD51a1dce35d60d2c70ca8894954fd5d384
SHA158547dd65d506c892290755010d0232da34ee000
SHA2562661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c
SHA5124abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e
-
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txtFilesize
2KB
MD51a1dce35d60d2c70ca8894954fd5d384
SHA158547dd65d506c892290755010d0232da34ee000
SHA2562661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c
SHA5124abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e
-
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txtFilesize
2KB
MD51a1dce35d60d2c70ca8894954fd5d384
SHA158547dd65d506c892290755010d0232da34ee000
SHA2562661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c
SHA5124abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e
-
C:\Windows\Fonts\ Explorer.exeFilesize
42KB
MD5f83ce8362919df4a34fa6440e756096b
SHA1cbb467378a11935da0effcfdadeabd48bc5f9164
SHA2562b01debe834f9051e11e938ff56c2b859c3cf81e86cb7caf991dc66886828ad4
SHA512fb21945390dafd42b9ab14c7f3e4f640837006d570e36d453b1d0372199a893f890bb6c0c388af07c558705200db137488e42128a0bccb4ea8b6393ecd6b2012
-
C:\Windows\Fonts\ Explorer.exeFilesize
42KB
MD56f77afc127e907fa28842e7ec902a876
SHA107646d89d1cd2738d37e306b13ecd0a3c9699998
SHA256948069fcf122ce03d98b1633ac2d56ff082d25c62187b81f4166c38091a74668
SHA512081880131c0b14c0f9cc9bd4e76507c452443f4d22ff045c1740f5ddeb29cf09fdae0a1d0debea97fca6d2861fa2953a04155dc532e00b9c177714bd5ba7f0bd
-
C:\Windows\Fonts\ Explorer.exeFilesize
42KB
MD5f83ce8362919df4a34fa6440e756096b
SHA1cbb467378a11935da0effcfdadeabd48bc5f9164
SHA2562b01debe834f9051e11e938ff56c2b859c3cf81e86cb7caf991dc66886828ad4
SHA512fb21945390dafd42b9ab14c7f3e4f640837006d570e36d453b1d0372199a893f890bb6c0c388af07c558705200db137488e42128a0bccb4ea8b6393ecd6b2012
-
C:\recycled\CTFMON.EXEFilesize
42KB
MD547df2d3fc9e9686363eab759ad1d2e67
SHA1e227787b3c651332708700ca0c0745fd4e3e4da2
SHA2562f6817a7e6317c9a08c02c415c39e46c3be31d923178438b139dd72437273c46
SHA512af688a1878d960e2c3c9b9b3909e3ea57083b2e2f0829cb20ed342c8484f8e39ca06b38633055a67fde2ae3a1b571da5251e5e0a1fa766d6e571d65a0c89bc59
-
C:\recycled\SPOOLSV.EXEFilesize
42KB
MD5e0fbfa11e574b987fb744dfb4bfbf2f8
SHA1fd2064fde24f057c0be3ef45f22979b78f9a57cb
SHA256c7f01822e5878fca0e0b9eaf0428a88b6791004abe780a2e954ecbf682ac3ce7
SHA5127ad9f8b241f29e41f710bb6dea84f29f568d3aa5b79eba6c3aeba6eb549d0bbf37c33c508de3c7fba794f2802454e64b1e5d486cd768e0ca78817fc23f675208
-
C:\recycled\SVCHOST.exeFilesize
42KB
MD505cd6d4df6667e481e4dc7f0f7a7d45d
SHA194692122e37ba21bd78659e5ed50748a5577c3e7
SHA256e20e2361507134f772fee97d25db1d791c10c7408fb475cb74b007448fa4a069
SHA512216db3f0316d2cabf1c600cae704301c9501bffed1a4868c0c8b089ea9fedf4b4a5fcd875e0299ab83bc504907252cf9d9973320ba5394d19c13517bee772093
-
\Recycled\CTFMON.EXEFilesize
42KB
MD547df2d3fc9e9686363eab759ad1d2e67
SHA1e227787b3c651332708700ca0c0745fd4e3e4da2
SHA2562f6817a7e6317c9a08c02c415c39e46c3be31d923178438b139dd72437273c46
SHA512af688a1878d960e2c3c9b9b3909e3ea57083b2e2f0829cb20ed342c8484f8e39ca06b38633055a67fde2ae3a1b571da5251e5e0a1fa766d6e571d65a0c89bc59
-
\Recycled\CTFMON.EXEFilesize
42KB
MD547df2d3fc9e9686363eab759ad1d2e67
SHA1e227787b3c651332708700ca0c0745fd4e3e4da2
SHA2562f6817a7e6317c9a08c02c415c39e46c3be31d923178438b139dd72437273c46
SHA512af688a1878d960e2c3c9b9b3909e3ea57083b2e2f0829cb20ed342c8484f8e39ca06b38633055a67fde2ae3a1b571da5251e5e0a1fa766d6e571d65a0c89bc59
-
\Recycled\CTFMON.EXEFilesize
42KB
MD547df2d3fc9e9686363eab759ad1d2e67
SHA1e227787b3c651332708700ca0c0745fd4e3e4da2
SHA2562f6817a7e6317c9a08c02c415c39e46c3be31d923178438b139dd72437273c46
SHA512af688a1878d960e2c3c9b9b3909e3ea57083b2e2f0829cb20ed342c8484f8e39ca06b38633055a67fde2ae3a1b571da5251e5e0a1fa766d6e571d65a0c89bc59
-
\Recycled\CTFMON.EXEFilesize
42KB
MD547df2d3fc9e9686363eab759ad1d2e67
SHA1e227787b3c651332708700ca0c0745fd4e3e4da2
SHA2562f6817a7e6317c9a08c02c415c39e46c3be31d923178438b139dd72437273c46
SHA512af688a1878d960e2c3c9b9b3909e3ea57083b2e2f0829cb20ed342c8484f8e39ca06b38633055a67fde2ae3a1b571da5251e5e0a1fa766d6e571d65a0c89bc59
-
\Recycled\SPOOLSV.EXEFilesize
42KB
MD5e0fbfa11e574b987fb744dfb4bfbf2f8
SHA1fd2064fde24f057c0be3ef45f22979b78f9a57cb
SHA256c7f01822e5878fca0e0b9eaf0428a88b6791004abe780a2e954ecbf682ac3ce7
SHA5127ad9f8b241f29e41f710bb6dea84f29f568d3aa5b79eba6c3aeba6eb549d0bbf37c33c508de3c7fba794f2802454e64b1e5d486cd768e0ca78817fc23f675208
-
\Recycled\SPOOLSV.EXEFilesize
42KB
MD5e0fbfa11e574b987fb744dfb4bfbf2f8
SHA1fd2064fde24f057c0be3ef45f22979b78f9a57cb
SHA256c7f01822e5878fca0e0b9eaf0428a88b6791004abe780a2e954ecbf682ac3ce7
SHA5127ad9f8b241f29e41f710bb6dea84f29f568d3aa5b79eba6c3aeba6eb549d0bbf37c33c508de3c7fba794f2802454e64b1e5d486cd768e0ca78817fc23f675208
-
\Recycled\SPOOLSV.EXEFilesize
42KB
MD5e0fbfa11e574b987fb744dfb4bfbf2f8
SHA1fd2064fde24f057c0be3ef45f22979b78f9a57cb
SHA256c7f01822e5878fca0e0b9eaf0428a88b6791004abe780a2e954ecbf682ac3ce7
SHA5127ad9f8b241f29e41f710bb6dea84f29f568d3aa5b79eba6c3aeba6eb549d0bbf37c33c508de3c7fba794f2802454e64b1e5d486cd768e0ca78817fc23f675208
-
\Recycled\SPOOLSV.EXEFilesize
42KB
MD5e0fbfa11e574b987fb744dfb4bfbf2f8
SHA1fd2064fde24f057c0be3ef45f22979b78f9a57cb
SHA256c7f01822e5878fca0e0b9eaf0428a88b6791004abe780a2e954ecbf682ac3ce7
SHA5127ad9f8b241f29e41f710bb6dea84f29f568d3aa5b79eba6c3aeba6eb549d0bbf37c33c508de3c7fba794f2802454e64b1e5d486cd768e0ca78817fc23f675208
-
\Recycled\SPOOLSV.EXEFilesize
42KB
MD5e0fbfa11e574b987fb744dfb4bfbf2f8
SHA1fd2064fde24f057c0be3ef45f22979b78f9a57cb
SHA256c7f01822e5878fca0e0b9eaf0428a88b6791004abe780a2e954ecbf682ac3ce7
SHA5127ad9f8b241f29e41f710bb6dea84f29f568d3aa5b79eba6c3aeba6eb549d0bbf37c33c508de3c7fba794f2802454e64b1e5d486cd768e0ca78817fc23f675208
-
\Recycled\SPOOLSV.EXEFilesize
42KB
MD5e0fbfa11e574b987fb744dfb4bfbf2f8
SHA1fd2064fde24f057c0be3ef45f22979b78f9a57cb
SHA256c7f01822e5878fca0e0b9eaf0428a88b6791004abe780a2e954ecbf682ac3ce7
SHA5127ad9f8b241f29e41f710bb6dea84f29f568d3aa5b79eba6c3aeba6eb549d0bbf37c33c508de3c7fba794f2802454e64b1e5d486cd768e0ca78817fc23f675208
-
\Recycled\SPOOLSV.EXEFilesize
42KB
MD5e0fbfa11e574b987fb744dfb4bfbf2f8
SHA1fd2064fde24f057c0be3ef45f22979b78f9a57cb
SHA256c7f01822e5878fca0e0b9eaf0428a88b6791004abe780a2e954ecbf682ac3ce7
SHA5127ad9f8b241f29e41f710bb6dea84f29f568d3aa5b79eba6c3aeba6eb549d0bbf37c33c508de3c7fba794f2802454e64b1e5d486cd768e0ca78817fc23f675208
-
\Recycled\SVCHOST.EXEFilesize
42KB
MD505cd6d4df6667e481e4dc7f0f7a7d45d
SHA194692122e37ba21bd78659e5ed50748a5577c3e7
SHA256e20e2361507134f772fee97d25db1d791c10c7408fb475cb74b007448fa4a069
SHA512216db3f0316d2cabf1c600cae704301c9501bffed1a4868c0c8b089ea9fedf4b4a5fcd875e0299ab83bc504907252cf9d9973320ba5394d19c13517bee772093
-
\Recycled\SVCHOST.EXEFilesize
42KB
MD505cd6d4df6667e481e4dc7f0f7a7d45d
SHA194692122e37ba21bd78659e5ed50748a5577c3e7
SHA256e20e2361507134f772fee97d25db1d791c10c7408fb475cb74b007448fa4a069
SHA512216db3f0316d2cabf1c600cae704301c9501bffed1a4868c0c8b089ea9fedf4b4a5fcd875e0299ab83bc504907252cf9d9973320ba5394d19c13517bee772093
-
\Recycled\SVCHOST.EXEFilesize
42KB
MD505cd6d4df6667e481e4dc7f0f7a7d45d
SHA194692122e37ba21bd78659e5ed50748a5577c3e7
SHA256e20e2361507134f772fee97d25db1d791c10c7408fb475cb74b007448fa4a069
SHA512216db3f0316d2cabf1c600cae704301c9501bffed1a4868c0c8b089ea9fedf4b4a5fcd875e0299ab83bc504907252cf9d9973320ba5394d19c13517bee772093
-
\Recycled\SVCHOST.EXEFilesize
42KB
MD505cd6d4df6667e481e4dc7f0f7a7d45d
SHA194692122e37ba21bd78659e5ed50748a5577c3e7
SHA256e20e2361507134f772fee97d25db1d791c10c7408fb475cb74b007448fa4a069
SHA512216db3f0316d2cabf1c600cae704301c9501bffed1a4868c0c8b089ea9fedf4b4a5fcd875e0299ab83bc504907252cf9d9973320ba5394d19c13517bee772093
-
memory/584-127-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/584-122-0x0000000000000000-mapping.dmp
-
memory/776-97-0x0000000000000000-mapping.dmp
-
memory/776-160-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/776-147-0x00000000024D0000-0x00000000024EA000-memory.dmpFilesize
104KB
-
memory/776-118-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/944-112-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/944-59-0x0000000000000000-mapping.dmp
-
memory/944-161-0x0000000001D40000-0x0000000001D5A000-memory.dmpFilesize
104KB
-
memory/944-159-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/944-148-0x0000000001D40000-0x0000000001D5A000-memory.dmpFilesize
104KB
-
memory/1004-157-0x000000007123D000-0x0000000071248000-memory.dmpFilesize
44KB
-
memory/1004-156-0x000000007123D000-0x0000000071248000-memory.dmpFilesize
44KB
-
memory/1004-154-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1004-153-0x0000000070251000-0x0000000070253000-memory.dmpFilesize
8KB
-
memory/1004-152-0x00000000727D1000-0x00000000727D4000-memory.dmpFilesize
12KB
-
memory/1004-150-0x0000000000000000-mapping.dmp
-
memory/1104-129-0x0000000000000000-mapping.dmp
-
memory/1104-133-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1140-136-0x0000000000000000-mapping.dmp
-
memory/1140-141-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1204-123-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1204-117-0x0000000000000000-mapping.dmp
-
memory/1652-114-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1652-105-0x0000000000000000-mapping.dmp
-
memory/1664-111-0x0000000000680000-0x000000000069A000-memory.dmpFilesize
104KB
-
memory/1664-109-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1664-56-0x0000000075FB1000-0x0000000075FB3000-memory.dmpFilesize
8KB
-
memory/1664-149-0x0000000000680000-0x000000000069A000-memory.dmpFilesize
104KB
-
memory/1664-151-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1664-110-0x0000000000680000-0x000000000069A000-memory.dmpFilesize
104KB
-
memory/1692-83-0x0000000000000000-mapping.dmp
-
memory/1692-88-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1716-89-0x0000000000000000-mapping.dmp
-
memory/1716-93-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1940-142-0x0000000000000000-mapping.dmp
-
memory/1940-146-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2000-75-0x0000000000000000-mapping.dmp
-
memory/2000-158-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2000-113-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2040-71-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2040-67-0x0000000000000000-mapping.dmp