d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63

Analysis

max time kernel
171s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
Size

42KB
MD5

a5a17c608e9a6b451049ee2226969790
SHA1

6c0a5309d765a96efe79573e6cce0a7fd052d7f4
SHA256

d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63
SHA512

1db03b588097d1076ea640ca08e4ddec93e212d2b8a7e65ac84c9bd172eaf85248ef683d86a73f53ccaac98c884e6052703a773428607b1f02573ce10c84b2f2
SSDEEP

768:gyz0/XBwayCUOwV3TNZHdrPeqzEWvpbPwSMX6+w6pqZxLdeVgol9D8888888888j:hzOCay4wV339rPjzbpLwRJ9pSdoI2

Score

10^/10

aspackv2 evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	CTFMON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	CTFMON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SPOOLSV.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	CTFMON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SPOOLSV.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	CTFMON.EXE

ASPack v2.12-2.42 34 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00090000000122fe-58.dat	aspack_v212_v242
behavioral1/files/0x00090000000122fe-59.dat	aspack_v212_v242
behavioral1/files/0x00090000000122fe-61.dat	aspack_v212_v242
behavioral1/files/0x00090000000122fe-65.dat	aspack_v212_v242
behavioral1/memory/948-66-0x00000000004F0000-0x000000000050A000-memory.dmp	aspack_v212_v242
behavioral1/files/0x0008000000012311-69.dat	aspack_v212_v242
behavioral1/files/0x00090000000122fe-72.dat	aspack_v212_v242
behavioral1/files/0x0008000000012306-76.dat	aspack_v212_v242
behavioral1/files/0x0008000000012306-75.dat	aspack_v212_v242
behavioral1/files/0x0008000000012306-78.dat	aspack_v212_v242
behavioral1/files/0x0008000000012306-80.dat	aspack_v212_v242
behavioral1/files/0x0008000000012311-84.dat	aspack_v212_v242
behavioral1/files/0x00090000000122fe-86.dat	aspack_v212_v242
behavioral1/files/0x00090000000122fe-88.dat	aspack_v212_v242
behavioral1/files/0x0008000000012306-94.dat	aspack_v212_v242
behavioral1/files/0x0008000000012306-91.dat	aspack_v212_v242
behavioral1/files/0x000800000001230a-102.dat	aspack_v212_v242
behavioral1/files/0x000800000001230a-100.dat	aspack_v212_v242
behavioral1/files/0x000800000001230a-99.dat	aspack_v212_v242
behavioral1/files/0x000800000001230a-98.dat	aspack_v212_v242
behavioral1/files/0x0008000000012311-106.dat	aspack_v212_v242
behavioral1/files/0x00090000000122fe-108.dat	aspack_v212_v242
behavioral1/files/0x00090000000122fe-110.dat	aspack_v212_v242
behavioral1/files/0x0008000000012306-113.dat	aspack_v212_v242
behavioral1/files/0x0008000000012306-115.dat	aspack_v212_v242
behavioral1/files/0x0008000000012306-117.dat	aspack_v212_v242
behavioral1/files/0x000800000001230a-122.dat	aspack_v212_v242
behavioral1/files/0x000800000001230a-126.dat	aspack_v212_v242
behavioral1/files/0x000800000001230a-128.dat	aspack_v212_v242
behavioral1/files/0x0008000000012306-131.dat	aspack_v212_v242
behavioral1/files/0x0008000000012306-133.dat	aspack_v212_v242
behavioral1/files/0x0008000000012306-135.dat	aspack_v212_v242
behavioral1/files/0x000800000001230a-138.dat	aspack_v212_v242
behavioral1/files/0x000800000001230a-141.dat	aspack_v212_v242

Executes dropped EXE 12 IoCs

pid	Process
588	SVCHOST.EXE
540	SVCHOST.EXE
1560	SPOOLSV.EXE
1444	SVCHOST.EXE
272	SPOOLSV.EXE
1064	CTFMON.EXE
604	SVCHOST.EXE
844	SPOOLSV.EXE
1452	CTFMON.EXE
656	CTFMON.EXE
1996	SPOOLSV.EXE
972	CTFMON.EXE

Loads dropped DLL 15 IoCs

pid	Process
948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
588	SVCHOST.EXE
588	SVCHOST.EXE
1560	SPOOLSV.EXE
1560	SPOOLSV.EXE
1560	SPOOLSV.EXE
1560	SPOOLSV.EXE
1064	CTFMON.EXE
1064	CTFMON.EXE
1064	CTFMON.EXE
588	SVCHOST.EXE
948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Recycled\desktop.ini	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
File opened (read-only)	\??\L:	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
File opened (read-only)	\??\R:	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
File opened (read-only)	\??\M:	SPOOLSV.EXE
File opened (read-only)	\??\H:	CTFMON.EXE
File opened (read-only)	\??\J:	CTFMON.EXE
File opened (read-only)	\??\F:	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
File opened (read-only)	\??\U:	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
File opened (read-only)	\??\Y:	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
File opened (read-only)	\??\I:	SPOOLSV.EXE
File opened (read-only)	\??\K:	SPOOLSV.EXE
File opened (read-only)	\??\T:	SPOOLSV.EXE
File opened (read-only)	\??\V:	CTFMON.EXE
File opened (read-only)	\??\M:	SVCHOST.EXE
File opened (read-only)	\??\U:	SPOOLSV.EXE
File opened (read-only)	\??\Z:	CTFMON.EXE
File opened (read-only)	\??\J:	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
File opened (read-only)	\??\O:	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
File opened (read-only)	\??\N:	SVCHOST.EXE
File opened (read-only)	\??\F:	SPOOLSV.EXE
File opened (read-only)	\??\U:	CTFMON.EXE
File opened (read-only)	\??\P:	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
File opened (read-only)	\??\Q:	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
File opened (read-only)	\??\N:	SPOOLSV.EXE
File opened (read-only)	\??\R:	SPOOLSV.EXE
File opened (read-only)	\??\E:	CTFMON.EXE
File opened (read-only)	\??\X:	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\E:	SPOOLSV.EXE
File opened (read-only)	\??\O:	SPOOLSV.EXE
File opened (read-only)	\??\X:	SPOOLSV.EXE
File opened (read-only)	\??\L:	CTFMON.EXE
File opened (read-only)	\??\H:	SVCHOST.EXE
File opened (read-only)	\??\K:	SVCHOST.EXE
File opened (read-only)	\??\J:	SPOOLSV.EXE
File opened (read-only)	\??\M:	CTFMON.EXE
File opened (read-only)	\??\K:	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
File opened (read-only)	\??\X:	SVCHOST.EXE
File opened (read-only)	\??\K:	CTFMON.EXE
File opened (read-only)	\??\Y:	CTFMON.EXE
File opened (read-only)	\??\G:	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
File opened (read-only)	\??\S:	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
File opened (read-only)	\??\W:	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
File opened (read-only)	\??\J:	SVCHOST.EXE
File opened (read-only)	\??\W:	SPOOLSV.EXE
File opened (read-only)	\??\E:	SVCHOST.EXE
File opened (read-only)	\??\F:	SVCHOST.EXE
File opened (read-only)	\??\R:	SVCHOST.EXE
File opened (read-only)	\??\Z:	SVCHOST.EXE
File opened (read-only)	\??\F:	CTFMON.EXE
File opened (read-only)	\??\R:	CTFMON.EXE
File opened (read-only)	\??\Q:	CTFMON.EXE
File opened (read-only)	\??\S:	CTFMON.EXE
File opened (read-only)	\??\Z:	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
File opened (read-only)	\??\Q:	SPOOLSV.EXE
File opened (read-only)	\??\S:	SPOOLSV.EXE
File opened (read-only)	\??\Y:	SPOOLSV.EXE
File opened (read-only)	\??\I:	CTFMON.EXE
File opened (read-only)	\??\O:	CTFMON.EXE
File opened (read-only)	\??\T:	CTFMON.EXE
File opened (read-only)	\??\H:	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
File opened (read-only)	\??\N:	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
File opened (read-only)	\??\H:	SPOOLSV.EXE
File opened (read-only)	\??\N:	CTFMON.EXE

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\ Explorer.exe	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
File opened for modification	C:\Windows\Fonts\ Explorer.exe	SVCHOST.EXE
File opened for modification	C:\Windows\Fonts\ Explorer.exe	SPOOLSV.EXE
File opened for modification	C:\Windows\Fonts\ Explorer.exe	CTFMON.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	CTFMON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SVCHOST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	CTFMON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1612	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1560	SPOOLSV.EXE
1560	SPOOLSV.EXE
1560	SPOOLSV.EXE
1560	SPOOLSV.EXE
1560	SPOOLSV.EXE
1560	SPOOLSV.EXE
1560	SPOOLSV.EXE
1560	SPOOLSV.EXE
588	SVCHOST.EXE
588	SVCHOST.EXE
588	SVCHOST.EXE
588	SVCHOST.EXE
588	SVCHOST.EXE
588	SVCHOST.EXE
588	SVCHOST.EXE
588	SVCHOST.EXE
1064	CTFMON.EXE
1064	CTFMON.EXE
1064	CTFMON.EXE
1064	CTFMON.EXE
1064	CTFMON.EXE
1064	CTFMON.EXE
1064	CTFMON.EXE
1064	CTFMON.EXE
948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
1560	SPOOLSV.EXE
588	SVCHOST.EXE
1560	SPOOLSV.EXE
1560	SPOOLSV.EXE
1560	SPOOLSV.EXE
1560	SPOOLSV.EXE
1560	SPOOLSV.EXE
1560	SPOOLSV.EXE
1560	SPOOLSV.EXE
588	SVCHOST.EXE
588	SVCHOST.EXE
588	SVCHOST.EXE
588	SVCHOST.EXE
588	SVCHOST.EXE
588	SVCHOST.EXE
588	SVCHOST.EXE
948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
1064	CTFMON.EXE
1064	CTFMON.EXE
948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
1064	CTFMON.EXE
1064	CTFMON.EXE
1064	CTFMON.EXE
1064	CTFMON.EXE
1064	CTFMON.EXE
1064	CTFMON.EXE
948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
1560	SPOOLSV.EXE
1560	SPOOLSV.EXE
1560	SPOOLSV.EXE
1560	SPOOLSV.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
588	SVCHOST.EXE
540	SVCHOST.EXE
1560	SPOOLSV.EXE
1444	SVCHOST.EXE
272	SPOOLSV.EXE
1064	CTFMON.EXE
604	SVCHOST.EXE
844	SPOOLSV.EXE
1452	CTFMON.EXE
656	CTFMON.EXE
1996	SPOOLSV.EXE
972	CTFMON.EXE
1612	WINWORD.EXE
1612	WINWORD.EXE

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 588	948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe	28
PID 948 wrote to memory of 588	948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe	28
PID 948 wrote to memory of 588	948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe	28
PID 948 wrote to memory of 588	948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe	28
PID 588 wrote to memory of 540	588	SVCHOST.EXE	29
PID 588 wrote to memory of 540	588	SVCHOST.EXE	29
PID 588 wrote to memory of 540	588	SVCHOST.EXE	29
PID 588 wrote to memory of 540	588	SVCHOST.EXE	29
PID 588 wrote to memory of 1560	588	SVCHOST.EXE	30
PID 588 wrote to memory of 1560	588	SVCHOST.EXE	30
PID 588 wrote to memory of 1560	588	SVCHOST.EXE	30
PID 588 wrote to memory of 1560	588	SVCHOST.EXE	30
PID 1560 wrote to memory of 1444	1560	SPOOLSV.EXE	31
PID 1560 wrote to memory of 1444	1560	SPOOLSV.EXE	31
PID 1560 wrote to memory of 1444	1560	SPOOLSV.EXE	31
PID 1560 wrote to memory of 1444	1560	SPOOLSV.EXE	31
PID 1560 wrote to memory of 272	1560	SPOOLSV.EXE	32
PID 1560 wrote to memory of 272	1560	SPOOLSV.EXE	32
PID 1560 wrote to memory of 272	1560	SPOOLSV.EXE	32
PID 1560 wrote to memory of 272	1560	SPOOLSV.EXE	32
PID 1560 wrote to memory of 1064	1560	SPOOLSV.EXE	33
PID 1560 wrote to memory of 1064	1560	SPOOLSV.EXE	33
PID 1560 wrote to memory of 1064	1560	SPOOLSV.EXE	33
PID 1560 wrote to memory of 1064	1560	SPOOLSV.EXE	33
PID 1064 wrote to memory of 604	1064	CTFMON.EXE	34
PID 1064 wrote to memory of 604	1064	CTFMON.EXE	34
PID 1064 wrote to memory of 604	1064	CTFMON.EXE	34
PID 1064 wrote to memory of 604	1064	CTFMON.EXE	34
PID 1064 wrote to memory of 844	1064	CTFMON.EXE	35
PID 1064 wrote to memory of 844	1064	CTFMON.EXE	35
PID 1064 wrote to memory of 844	1064	CTFMON.EXE	35
PID 1064 wrote to memory of 844	1064	CTFMON.EXE	35
PID 1064 wrote to memory of 1452	1064	CTFMON.EXE	36
PID 1064 wrote to memory of 1452	1064	CTFMON.EXE	36
PID 1064 wrote to memory of 1452	1064	CTFMON.EXE	36
PID 1064 wrote to memory of 1452	1064	CTFMON.EXE	36
PID 588 wrote to memory of 656	588	SVCHOST.EXE	37
PID 588 wrote to memory of 656	588	SVCHOST.EXE	37
PID 588 wrote to memory of 656	588	SVCHOST.EXE	37
PID 588 wrote to memory of 656	588	SVCHOST.EXE	37
PID 948 wrote to memory of 1996	948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe	38
PID 948 wrote to memory of 1996	948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe	38
PID 948 wrote to memory of 1996	948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe	38
PID 948 wrote to memory of 1996	948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe	38
PID 948 wrote to memory of 972	948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe	39
PID 948 wrote to memory of 972	948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe	39
PID 948 wrote to memory of 972	948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe	39
PID 948 wrote to memory of 972	948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe	39
PID 948 wrote to memory of 1612	948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe	40
PID 948 wrote to memory of 1612	948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe	40
PID 948 wrote to memory of 1612	948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe	40
PID 948 wrote to memory of 1612	948	d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe	40
PID 1612 wrote to memory of 1728	1612	WINWORD.EXE	43
PID 1612 wrote to memory of 1728	1612	WINWORD.EXE	43
PID 1612 wrote to memory of 1728	1612	WINWORD.EXE	43
PID 1612 wrote to memory of 1728	1612	WINWORD.EXE	43

C:\Users\Admin\AppData\Local\Temp\d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe
"C:\Users\Admin\AppData\Local\Temp\d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948
- C:\recycled\SVCHOST.EXE
  C:\recycled\SVCHOST.EXE :agent
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\recycled\SVCHOST.EXE
    C:\recycled\SVCHOST.EXE :agent
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:540
- - C:\recycled\SPOOLSV.EXE
    C:\recycled\SPOOLSV.EXE :agent
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1444
  - - C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:272
  - - C:\recycled\CTFMON.EXE
      C:\recycled\CTFMON.EXE :agent
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1064
    - - C:\recycled\SVCHOST.EXE
        
        C:\recycled\SVCHOST.EXE :agent
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:604
    - - C:\recycled\SPOOLSV.EXE
        
        C:\recycled\SPOOLSV.EXE :agent
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:844
    - - C:\recycled\CTFMON.EXE
        
        C:\recycled\CTFMON.EXE :agent
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1452
- - C:\recycled\CTFMON.EXE
    C:\recycled\CTFMON.EXE :agent
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:656
- C:\recycled\SPOOLSV.EXE
  C:\recycled\SPOOLSV.EXE :agent
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1996
- C:\recycled\CTFMON.EXE
  C:\recycled\CTFMON.EXE :agent
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:972
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d0dba62e1a74d6ef5d4b229f38ea185e7e20e6b430d08f2dbc404dbf4b193f63.doc"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recycled\CTFMON.EXE

Filesize
42KB

MD5
61f39f9954d70b1c1a1e2b274604366a

SHA1
59653dfdf8ff4d582a3cff97cf94c774221b8303

SHA256
daa3f79bd4e17f4e27109ae10237fb0d1f414dd454c57793008cbda0fd33af47

SHA512
c8cfc320d7ae1f1bd919edac0603c2ee1c88eb7361aa7a20f2d08e1f958da75c021a6df2dcfdcf570a6d628fa23633cd8a3d70b69486ab3a8daf19a97ee133eb

Download Submit
C:\Recycled\CTFMON.EXE

Filesize
42KB

MD5
61f39f9954d70b1c1a1e2b274604366a

SHA1
59653dfdf8ff4d582a3cff97cf94c774221b8303

SHA256
daa3f79bd4e17f4e27109ae10237fb0d1f414dd454c57793008cbda0fd33af47

SHA512
c8cfc320d7ae1f1bd919edac0603c2ee1c88eb7361aa7a20f2d08e1f958da75c021a6df2dcfdcf570a6d628fa23633cd8a3d70b69486ab3a8daf19a97ee133eb

Download Submit
C:\Recycled\CTFMON.EXE

Filesize
42KB

MD5
61f39f9954d70b1c1a1e2b274604366a

SHA1
59653dfdf8ff4d582a3cff97cf94c774221b8303

SHA256
daa3f79bd4e17f4e27109ae10237fb0d1f414dd454c57793008cbda0fd33af47

SHA512
c8cfc320d7ae1f1bd919edac0603c2ee1c88eb7361aa7a20f2d08e1f958da75c021a6df2dcfdcf570a6d628fa23633cd8a3d70b69486ab3a8daf19a97ee133eb

Download Submit
C:\Recycled\CTFMON.EXE

Filesize
42KB

MD5
61f39f9954d70b1c1a1e2b274604366a

SHA1
59653dfdf8ff4d582a3cff97cf94c774221b8303

SHA256
daa3f79bd4e17f4e27109ae10237fb0d1f414dd454c57793008cbda0fd33af47

SHA512
c8cfc320d7ae1f1bd919edac0603c2ee1c88eb7361aa7a20f2d08e1f958da75c021a6df2dcfdcf570a6d628fa23633cd8a3d70b69486ab3a8daf19a97ee133eb

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
1e65a56009bfc125a53289e7dc26cec4

SHA1
f7a136c16a85ea4ac6c4307cf3463f1d14f2ac3e

SHA256
d0bbccef8d92df01e72374e20decc7d1f4f3e4b5fb075dc5a5c0227def108a80

SHA512
6a501158cc1bc5739546d69d5a8a281cee55ff649bf3b66bc6d4e939bb3bd5789c3d587c8d8500e2131675f4d0b5ce3809f633b3e9f5c3bf9b9f6051df2f8806

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
1e65a56009bfc125a53289e7dc26cec4

SHA1
f7a136c16a85ea4ac6c4307cf3463f1d14f2ac3e

SHA256
d0bbccef8d92df01e72374e20decc7d1f4f3e4b5fb075dc5a5c0227def108a80

SHA512
6a501158cc1bc5739546d69d5a8a281cee55ff649bf3b66bc6d4e939bb3bd5789c3d587c8d8500e2131675f4d0b5ce3809f633b3e9f5c3bf9b9f6051df2f8806

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
1e65a56009bfc125a53289e7dc26cec4

SHA1
f7a136c16a85ea4ac6c4307cf3463f1d14f2ac3e

SHA256
d0bbccef8d92df01e72374e20decc7d1f4f3e4b5fb075dc5a5c0227def108a80

SHA512
6a501158cc1bc5739546d69d5a8a281cee55ff649bf3b66bc6d4e939bb3bd5789c3d587c8d8500e2131675f4d0b5ce3809f633b3e9f5c3bf9b9f6051df2f8806

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
1e65a56009bfc125a53289e7dc26cec4

SHA1
f7a136c16a85ea4ac6c4307cf3463f1d14f2ac3e

SHA256
d0bbccef8d92df01e72374e20decc7d1f4f3e4b5fb075dc5a5c0227def108a80

SHA512
6a501158cc1bc5739546d69d5a8a281cee55ff649bf3b66bc6d4e939bb3bd5789c3d587c8d8500e2131675f4d0b5ce3809f633b3e9f5c3bf9b9f6051df2f8806

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
42KB

MD5
f5d35239ee425996098053c6f9f96a00

SHA1
025541e75f9decffa99dd7dcae17be4bd78a992d

SHA256
7f24b525eac64ae2b93fb0324dad0dc04430c5416d4799e85922d256cbd95b79

SHA512
52839becdd4a9a8f7d24d5da885fc52e557e11de4ee14636275b01e8c72297cd116674dd1e89f0b12d355013d9f7332eb9b2fcb44f63e562fb10a7f704a4650f

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
42KB

MD5
f5d35239ee425996098053c6f9f96a00

SHA1
025541e75f9decffa99dd7dcae17be4bd78a992d

SHA256
7f24b525eac64ae2b93fb0324dad0dc04430c5416d4799e85922d256cbd95b79

SHA512
52839becdd4a9a8f7d24d5da885fc52e557e11de4ee14636275b01e8c72297cd116674dd1e89f0b12d355013d9f7332eb9b2fcb44f63e562fb10a7f704a4650f

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
42KB

MD5
f5d35239ee425996098053c6f9f96a00

SHA1
025541e75f9decffa99dd7dcae17be4bd78a992d

SHA256
7f24b525eac64ae2b93fb0324dad0dc04430c5416d4799e85922d256cbd95b79

SHA512
52839becdd4a9a8f7d24d5da885fc52e557e11de4ee14636275b01e8c72297cd116674dd1e89f0b12d355013d9f7332eb9b2fcb44f63e562fb10a7f704a4650f

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
42KB

MD5
f5d35239ee425996098053c6f9f96a00

SHA1
025541e75f9decffa99dd7dcae17be4bd78a992d

SHA256
7f24b525eac64ae2b93fb0324dad0dc04430c5416d4799e85922d256cbd95b79

SHA512
52839becdd4a9a8f7d24d5da885fc52e557e11de4ee14636275b01e8c72297cd116674dd1e89f0b12d355013d9f7332eb9b2fcb44f63e562fb10a7f704a4650f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
2KB

MD5
1a1dce35d60d2c70ca8894954fd5d384

SHA1
58547dd65d506c892290755010d0232da34ee000

SHA256
2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

SHA512
4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
2KB

MD5
1a1dce35d60d2c70ca8894954fd5d384

SHA1
58547dd65d506c892290755010d0232da34ee000

SHA256
2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

SHA512
4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
2KB

MD5
1a1dce35d60d2c70ca8894954fd5d384

SHA1
58547dd65d506c892290755010d0232da34ee000

SHA256
2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

SHA512
4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

Download Submit
C:\Windows\Fonts\ Explorer.exe

Filesize
42KB

MD5
991a6b800c9e039e1ca6e111a76e4cd4

SHA1
b440f8a90ecf0f9cf3e3fd2710f0e90257a618dc

SHA256
8ef0ee1f09ce384da7d274319bd5922b528b9f7860383fd0c68e2dc526801933

SHA512
b56b5c77cd7149a03fe77f663bb09c2ac24c38b5eca714b17cfa39c9b46cd809423e1cd7a2d5c71ac3a430344bbf628d4f4b987f40191e109fd22d78c9ad4476

Download Submit
C:\Windows\Fonts\ Explorer.exe

Filesize
42KB

MD5
15af5694a2d45dc91777fd0e86862049

SHA1
a8a111099174f6bf2eeea4d61fcaf8fb40955d66

SHA256
b7aa2e2e6f535f57b070524a085d833fa60bceab1809b1d82996774ec895aeb6

SHA512
a7bb5100b60452f58d81da5466e6b31ffc9ff7a2758849bca0305b5619acd0add18b87d3ccecb1a82acd4224d45d1afd4f22fa4e5db1e1506ecd2544828fb75e

Download Submit
C:\Windows\Fonts\ Explorer.exe

Filesize
42KB

MD5
d9490ed51954564648bc9246ea2747a6

SHA1
ed29b25a012ce4d20a9d5fa02e26ce28aa15c4f3

SHA256
d8c817615f4b088067614d1efec71e47220e590578fdeb7f6c7b01e20bac5aab

SHA512
1c37e9e067ac792b9fbd8cf34712dfe5517bfec4e61dfa114ad8c77b32266e0b10c5883995f7b9705423567c14439d213d440110dcdf3f41ba5a80abcbce0d47

Download Submit
C:\recycled\CTFMON.EXE

Filesize
42KB

MD5
61f39f9954d70b1c1a1e2b274604366a

SHA1
59653dfdf8ff4d582a3cff97cf94c774221b8303

SHA256
daa3f79bd4e17f4e27109ae10237fb0d1f414dd454c57793008cbda0fd33af47

SHA512
c8cfc320d7ae1f1bd919edac0603c2ee1c88eb7361aa7a20f2d08e1f958da75c021a6df2dcfdcf570a6d628fa23633cd8a3d70b69486ab3a8daf19a97ee133eb

Download Submit
C:\recycled\SPOOLSV.EXE

Filesize
42KB

MD5
1e65a56009bfc125a53289e7dc26cec4

SHA1
f7a136c16a85ea4ac6c4307cf3463f1d14f2ac3e

SHA256
d0bbccef8d92df01e72374e20decc7d1f4f3e4b5fb075dc5a5c0227def108a80

SHA512
6a501158cc1bc5739546d69d5a8a281cee55ff649bf3b66bc6d4e939bb3bd5789c3d587c8d8500e2131675f4d0b5ce3809f633b3e9f5c3bf9b9f6051df2f8806

Download Submit
C:\recycled\SVCHOST.exe

Filesize
42KB

MD5
f5d35239ee425996098053c6f9f96a00

SHA1
025541e75f9decffa99dd7dcae17be4bd78a992d

SHA256
7f24b525eac64ae2b93fb0324dad0dc04430c5416d4799e85922d256cbd95b79

SHA512
52839becdd4a9a8f7d24d5da885fc52e557e11de4ee14636275b01e8c72297cd116674dd1e89f0b12d355013d9f7332eb9b2fcb44f63e562fb10a7f704a4650f

Download Submit
\Recycled\CTFMON.EXE

Filesize
42KB

MD5
61f39f9954d70b1c1a1e2b274604366a

SHA1
59653dfdf8ff4d582a3cff97cf94c774221b8303

SHA256
daa3f79bd4e17f4e27109ae10237fb0d1f414dd454c57793008cbda0fd33af47

SHA512
c8cfc320d7ae1f1bd919edac0603c2ee1c88eb7361aa7a20f2d08e1f958da75c021a6df2dcfdcf570a6d628fa23633cd8a3d70b69486ab3a8daf19a97ee133eb

Download Submit
\Recycled\CTFMON.EXE

Filesize
42KB

MD5
61f39f9954d70b1c1a1e2b274604366a

SHA1
59653dfdf8ff4d582a3cff97cf94c774221b8303

SHA256
daa3f79bd4e17f4e27109ae10237fb0d1f414dd454c57793008cbda0fd33af47

SHA512
c8cfc320d7ae1f1bd919edac0603c2ee1c88eb7361aa7a20f2d08e1f958da75c021a6df2dcfdcf570a6d628fa23633cd8a3d70b69486ab3a8daf19a97ee133eb

Download Submit
\Recycled\CTFMON.EXE

Filesize
42KB

MD5
61f39f9954d70b1c1a1e2b274604366a

SHA1
59653dfdf8ff4d582a3cff97cf94c774221b8303

SHA256
daa3f79bd4e17f4e27109ae10237fb0d1f414dd454c57793008cbda0fd33af47

SHA512
c8cfc320d7ae1f1bd919edac0603c2ee1c88eb7361aa7a20f2d08e1f958da75c021a6df2dcfdcf570a6d628fa23633cd8a3d70b69486ab3a8daf19a97ee133eb

Download Submit
\Recycled\CTFMON.EXE

Filesize
42KB

MD5
61f39f9954d70b1c1a1e2b274604366a

SHA1
59653dfdf8ff4d582a3cff97cf94c774221b8303

SHA256
daa3f79bd4e17f4e27109ae10237fb0d1f414dd454c57793008cbda0fd33af47

SHA512
c8cfc320d7ae1f1bd919edac0603c2ee1c88eb7361aa7a20f2d08e1f958da75c021a6df2dcfdcf570a6d628fa23633cd8a3d70b69486ab3a8daf19a97ee133eb

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
1e65a56009bfc125a53289e7dc26cec4

SHA1
f7a136c16a85ea4ac6c4307cf3463f1d14f2ac3e

SHA256
d0bbccef8d92df01e72374e20decc7d1f4f3e4b5fb075dc5a5c0227def108a80

SHA512
6a501158cc1bc5739546d69d5a8a281cee55ff649bf3b66bc6d4e939bb3bd5789c3d587c8d8500e2131675f4d0b5ce3809f633b3e9f5c3bf9b9f6051df2f8806

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
1e65a56009bfc125a53289e7dc26cec4

SHA1
f7a136c16a85ea4ac6c4307cf3463f1d14f2ac3e

SHA256
d0bbccef8d92df01e72374e20decc7d1f4f3e4b5fb075dc5a5c0227def108a80

SHA512
6a501158cc1bc5739546d69d5a8a281cee55ff649bf3b66bc6d4e939bb3bd5789c3d587c8d8500e2131675f4d0b5ce3809f633b3e9f5c3bf9b9f6051df2f8806

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
1e65a56009bfc125a53289e7dc26cec4

SHA1
f7a136c16a85ea4ac6c4307cf3463f1d14f2ac3e

SHA256
d0bbccef8d92df01e72374e20decc7d1f4f3e4b5fb075dc5a5c0227def108a80

SHA512
6a501158cc1bc5739546d69d5a8a281cee55ff649bf3b66bc6d4e939bb3bd5789c3d587c8d8500e2131675f4d0b5ce3809f633b3e9f5c3bf9b9f6051df2f8806

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
1e65a56009bfc125a53289e7dc26cec4

SHA1
f7a136c16a85ea4ac6c4307cf3463f1d14f2ac3e

SHA256
d0bbccef8d92df01e72374e20decc7d1f4f3e4b5fb075dc5a5c0227def108a80

SHA512
6a501158cc1bc5739546d69d5a8a281cee55ff649bf3b66bc6d4e939bb3bd5789c3d587c8d8500e2131675f4d0b5ce3809f633b3e9f5c3bf9b9f6051df2f8806

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
1e65a56009bfc125a53289e7dc26cec4

SHA1
f7a136c16a85ea4ac6c4307cf3463f1d14f2ac3e

SHA256
d0bbccef8d92df01e72374e20decc7d1f4f3e4b5fb075dc5a5c0227def108a80

SHA512
6a501158cc1bc5739546d69d5a8a281cee55ff649bf3b66bc6d4e939bb3bd5789c3d587c8d8500e2131675f4d0b5ce3809f633b3e9f5c3bf9b9f6051df2f8806

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
1e65a56009bfc125a53289e7dc26cec4

SHA1
f7a136c16a85ea4ac6c4307cf3463f1d14f2ac3e

SHA256
d0bbccef8d92df01e72374e20decc7d1f4f3e4b5fb075dc5a5c0227def108a80

SHA512
6a501158cc1bc5739546d69d5a8a281cee55ff649bf3b66bc6d4e939bb3bd5789c3d587c8d8500e2131675f4d0b5ce3809f633b3e9f5c3bf9b9f6051df2f8806

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
1e65a56009bfc125a53289e7dc26cec4

SHA1
f7a136c16a85ea4ac6c4307cf3463f1d14f2ac3e

SHA256
d0bbccef8d92df01e72374e20decc7d1f4f3e4b5fb075dc5a5c0227def108a80

SHA512
6a501158cc1bc5739546d69d5a8a281cee55ff649bf3b66bc6d4e939bb3bd5789c3d587c8d8500e2131675f4d0b5ce3809f633b3e9f5c3bf9b9f6051df2f8806

Download Submit
\Recycled\SVCHOST.EXE

Filesize
42KB

MD5
f5d35239ee425996098053c6f9f96a00

SHA1
025541e75f9decffa99dd7dcae17be4bd78a992d

SHA256
7f24b525eac64ae2b93fb0324dad0dc04430c5416d4799e85922d256cbd95b79

SHA512
52839becdd4a9a8f7d24d5da885fc52e557e11de4ee14636275b01e8c72297cd116674dd1e89f0b12d355013d9f7332eb9b2fcb44f63e562fb10a7f704a4650f

Download Submit
\Recycled\SVCHOST.EXE

Filesize
42KB

MD5
f5d35239ee425996098053c6f9f96a00

SHA1
025541e75f9decffa99dd7dcae17be4bd78a992d

SHA256
7f24b525eac64ae2b93fb0324dad0dc04430c5416d4799e85922d256cbd95b79

SHA512
52839becdd4a9a8f7d24d5da885fc52e557e11de4ee14636275b01e8c72297cd116674dd1e89f0b12d355013d9f7332eb9b2fcb44f63e562fb10a7f704a4650f

Download Submit
\Recycled\SVCHOST.EXE

Filesize
42KB

MD5
f5d35239ee425996098053c6f9f96a00

SHA1
025541e75f9decffa99dd7dcae17be4bd78a992d

SHA256
7f24b525eac64ae2b93fb0324dad0dc04430c5416d4799e85922d256cbd95b79

SHA512
52839becdd4a9a8f7d24d5da885fc52e557e11de4ee14636275b01e8c72297cd116674dd1e89f0b12d355013d9f7332eb9b2fcb44f63e562fb10a7f704a4650f

Download Submit
\Recycled\SVCHOST.EXE

Filesize
42KB

MD5
f5d35239ee425996098053c6f9f96a00

SHA1
025541e75f9decffa99dd7dcae17be4bd78a992d

SHA256
7f24b525eac64ae2b93fb0324dad0dc04430c5416d4799e85922d256cbd95b79

SHA512
52839becdd4a9a8f7d24d5da885fc52e557e11de4ee14636275b01e8c72297cd116674dd1e89f0b12d355013d9f7332eb9b2fcb44f63e562fb10a7f704a4650f

Download Submit
memory/272-97-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/540-77-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/588-159-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/588-145-0x0000000001DC0000-0x0000000001DDA000-memory.dmp

Filesize
104KB

Download
memory/588-146-0x0000000001DC0000-0x0000000001DDA000-memory.dmp

Filesize
104KB

Download
memory/588-68-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/604-114-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/656-132-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/844-121-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/948-54-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/948-66-0x00000000004F0000-0x000000000050A000-memory.dmp

Filesize
104KB

Download
memory/948-150-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/948-67-0x00000000004F0000-0x000000000050A000-memory.dmp

Filesize
104KB

Download
memory/948-57-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/972-144-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1064-148-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1444-92-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1452-125-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1560-147-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1612-151-0x0000000072131000-0x0000000072134000-memory.dmp

Filesize
12KB

Download
memory/1612-152-0x000000006FBB1000-0x000000006FBB3000-memory.dmp

Filesize
8KB

Download
memory/1612-153-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1612-155-0x0000000070B9D000-0x0000000070BA8000-memory.dmp

Filesize
44KB

Download
memory/1612-157-0x0000000070B9D000-0x0000000070BA8000-memory.dmp

Filesize
44KB

Download
memory/1728-158-0x000007FEFB641000-0x000007FEFB643000-memory.dmp

Filesize
8KB

Download
memory/1996-140-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download