Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
13/03/2023, 12:40
Static task
static1
Behavioral task
behavioral1
Sample
fa106001a7cf2deb09192898ba82b50f.rtf
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
fa106001a7cf2deb09192898ba82b50f.rtf
Resource
win10v2004-20230221-en
General
-
Target
fa106001a7cf2deb09192898ba82b50f.rtf
-
Size
25KB
-
MD5
fa106001a7cf2deb09192898ba82b50f
-
SHA1
d472611b9c4185f4dad80143c6c46cb3a3047779
-
SHA256
e24f9280b453e5262a8f191193f4bf2c249273d30b32dd19e924e56f7e02f057
-
SHA512
16ea979dc9850ae3ef7e4540070da3db3da4c046832b3b6efbd14c1a335082788e3995e6693e1e1c965cc8d0b7c9ec60b13f2720dfd6b9f03ac415506966dfde
-
SSDEEP
768:LEohQfFWWeZqbo8PC6uucJIOFMzGcAYl+CxjfbsredELLyxWlN:IoheWnIKIicYC16rLaWf
Malware Config
Extracted
remcos
RemoteHost
vcv.mastercoa.co:8489
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-4IE8MY
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 872 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 1104 vbc.exe 1680 ryiixl.exe 1572 ryiixl.exe -
Loads dropped DLL 4 IoCs
pid Process 872 EQNEDT32.EXE 1104 vbc.exe 1104 vbc.exe 1680 ryiixl.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1680 set thread context of 1572 1680 ryiixl.exe 34 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 872 EQNEDT32.EXE -
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1704 WINWORD.EXE -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1680 ryiixl.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1704 WINWORD.EXE 1704 WINWORD.EXE 1572 ryiixl.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 872 wrote to memory of 1104 872 EQNEDT32.EXE 31 PID 872 wrote to memory of 1104 872 EQNEDT32.EXE 31 PID 872 wrote to memory of 1104 872 EQNEDT32.EXE 31 PID 872 wrote to memory of 1104 872 EQNEDT32.EXE 31 PID 1104 wrote to memory of 1680 1104 vbc.exe 32 PID 1104 wrote to memory of 1680 1104 vbc.exe 32 PID 1104 wrote to memory of 1680 1104 vbc.exe 32 PID 1104 wrote to memory of 1680 1104 vbc.exe 32 PID 1680 wrote to memory of 1572 1680 ryiixl.exe 34 PID 1680 wrote to memory of 1572 1680 ryiixl.exe 34 PID 1680 wrote to memory of 1572 1680 ryiixl.exe 34 PID 1680 wrote to memory of 1572 1680 ryiixl.exe 34 PID 1680 wrote to memory of 1572 1680 ryiixl.exe 34 PID 1704 wrote to memory of 852 1704 WINWORD.EXE 37 PID 1704 wrote to memory of 852 1704 WINWORD.EXE 37 PID 1704 wrote to memory of 852 1704 WINWORD.EXE 37 PID 1704 wrote to memory of 852 1704 WINWORD.EXE 37
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fa106001a7cf2deb09192898ba82b50f.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:852
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\ryiixl.exe"C:\Users\Admin\AppData\Local\Temp\ryiixl.exe" C:\Users\Admin\AppData\Local\Temp\jdgwj.al3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\ryiixl.exe"C:\Users\Admin\AppData\Local\Temp\ryiixl.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1572
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262B
MD5136b2b89a3221f84f3be970881c71950
SHA1154592913be8e207b291efc7806b1bb88c8cb45c
SHA256d2a9ec4c2f76e962098440668842eac055a707691fcf5f95e848b2c35f1f27af
SHA512f02d42cd0969ebc16c61934ceb3894a3856cfc60921c6db5ccf1ea5041f986426e0a72234d6a8fecf57cc19370120d52315cd0aea1a20fbde22f54422d5527f6
-
Filesize
5KB
MD52713735a6a22806ebe05a3616d813b9d
SHA1aa850ef9a7277de15a3a7dacff134a7f6a9f43d5
SHA2563230b1927e92ec8b3e76d353a97807718e766cb81fb4dddccc2997e54404883e
SHA512ba6fd4723a9182a09ecfb24a86b7452df4177987635e9b530c91745bef427b968b8a07becb87c968e8c86e45bb7b18e072a52a10c845bf367d46ceb2629009a6
-
Filesize
60KB
MD5ec58ad1a92a419f0f5808457b07ad62e
SHA190e775790640a5f36397365e23aa574e2eb21b00
SHA2562ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1
SHA5127b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5
-
Filesize
60KB
MD5ec58ad1a92a419f0f5808457b07ad62e
SHA190e775790640a5f36397365e23aa574e2eb21b00
SHA2562ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1
SHA5127b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5
-
Filesize
60KB
MD5ec58ad1a92a419f0f5808457b07ad62e
SHA190e775790640a5f36397365e23aa574e2eb21b00
SHA2562ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1
SHA5127b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5
-
Filesize
60KB
MD5ec58ad1a92a419f0f5808457b07ad62e
SHA190e775790640a5f36397365e23aa574e2eb21b00
SHA2562ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1
SHA5127b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5
-
Filesize
495KB
MD53492b562086daedc2ebab288e514690d
SHA1630ef4d0016aa312607b8d43c39f0dc7c4db6b6d
SHA25670ef2a031c2947fff70f9ac97b662fdb9414b661047b66372a41c53cc354ad9a
SHA512c615ceaac3f366b8c4cf5781a2927a850926d1a77f9a29d05df399bc5b3c2a5775d89f19f315a27fd82945ad377ce6593fa7a672e241d1baffd6ebbd6de85db6
-
Filesize
20KB
MD5c7936eaf34f95bd60178c397a8fe5ee3
SHA1053495205e305f3dcc811b63dfe69b1c55f0809f
SHA256f3a5790955adff8a2b129fac04183f14dbed9c5ffff52c602ee2d557584f09a5
SHA5129d2c3d93fe23d344d6ba830c97bfcdb5ea5785377ac08c4f49bd520d58ea876a22d0dc30f3eac914beec1f9b6a63e0f690621f0c5b9ca94644a7a289e7c39ebd
-
Filesize
516KB
MD59eea2c45522c0a0507344fc3b216f35e
SHA148e66669c4cb4ac7e3d172f00fb577bcf573f693
SHA256c0a61528c592ee0f031423ea8cfa16f60bdb5aab2a4351bc5e920168c6079c0e
SHA512d8e991bb499135b1f474202dcdaf2db37ba94c5504fa0b1e414f11f97eed684a3a39f03a58a971a3591c974db71fba2350941955e44ee1bae22a209faf5a836e
-
Filesize
516KB
MD59eea2c45522c0a0507344fc3b216f35e
SHA148e66669c4cb4ac7e3d172f00fb577bcf573f693
SHA256c0a61528c592ee0f031423ea8cfa16f60bdb5aab2a4351bc5e920168c6079c0e
SHA512d8e991bb499135b1f474202dcdaf2db37ba94c5504fa0b1e414f11f97eed684a3a39f03a58a971a3591c974db71fba2350941955e44ee1bae22a209faf5a836e
-
Filesize
516KB
MD59eea2c45522c0a0507344fc3b216f35e
SHA148e66669c4cb4ac7e3d172f00fb577bcf573f693
SHA256c0a61528c592ee0f031423ea8cfa16f60bdb5aab2a4351bc5e920168c6079c0e
SHA512d8e991bb499135b1f474202dcdaf2db37ba94c5504fa0b1e414f11f97eed684a3a39f03a58a971a3591c974db71fba2350941955e44ee1bae22a209faf5a836e
-
Filesize
60KB
MD5ec58ad1a92a419f0f5808457b07ad62e
SHA190e775790640a5f36397365e23aa574e2eb21b00
SHA2562ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1
SHA5127b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5
-
Filesize
60KB
MD5ec58ad1a92a419f0f5808457b07ad62e
SHA190e775790640a5f36397365e23aa574e2eb21b00
SHA2562ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1
SHA5127b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5
-
Filesize
60KB
MD5ec58ad1a92a419f0f5808457b07ad62e
SHA190e775790640a5f36397365e23aa574e2eb21b00
SHA2562ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1
SHA5127b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5
-
Filesize
516KB
MD59eea2c45522c0a0507344fc3b216f35e
SHA148e66669c4cb4ac7e3d172f00fb577bcf573f693
SHA256c0a61528c592ee0f031423ea8cfa16f60bdb5aab2a4351bc5e920168c6079c0e
SHA512d8e991bb499135b1f474202dcdaf2db37ba94c5504fa0b1e414f11f97eed684a3a39f03a58a971a3591c974db71fba2350941955e44ee1bae22a209faf5a836e