Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
23/10/2023, 10:26
Static task
static1
Behavioral task
behavioral1
Sample
Quotation_Oct23.rtf
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
Quotation_Oct23.rtf
Resource
win10v2004-20231020-en
General
-
Target
Quotation_Oct23.rtf
-
Size
83KB
-
MD5
4aa6ea3405f9bd2c4d2009e262c2d46c
-
SHA1
f43269a6c58648f43ca489f55b9e4f05e198d6cc
-
SHA256
976314b7a78022730e95f94ec9bde2c2336be574eccdc364ac26757fc7c1e267
-
SHA512
a30ce23cfa9364f7a447a90f6a1fcb5e285df373aa717afcdf650e02acd0344714bd4774d10f3b8b304627c98a6f9dd770610020393118904e0dea8f81cffbce
-
SSDEEP
768:RwAbZSibMX9gRWjSdFm1pgWxNvwJ7vyWE:RwAlRK/gWxNq7va
Malware Config
Extracted
formbook
4.1
o5gu
jonathanvuportfolio.website
moneyboost.net
imikecutyou.com
toollessassembling.com
keoinfra.com
mackenziejamesphoto.com
zenovaa.com
ngmnetwork.com
odropoficial.com
huyangli.company
ganjajuice.info
promptmechanic.xyz
crispyjoy.com
dinevintageshirts.com
heyxop.online
hopefinancialmarketingph.com
weeklyvolcano.app
consultoriopmn.com
seetheratequote.com
ftds77.com
neuepilates.com
akaegostudios.com
solhealthglobal.com
edelweiss45.online
getalign.info
playermaveric.click
osuszdom.com
eastern-prime.com
4zc.lat
ssongg3888.cfd
polar-tours.com
herbahis239.com
funeral-services.com
chawlaaluminium.com
aintrepreneurship.com
chiefsuppliesllc.com
easyhub.xyz
umaylek.site
menofthehouse.store
11cmace.vip
mostbet-wcx4.top
robbiexgeorgie.com
elliotlakefield.com
marcjacobssalecanada.com
barbiealien.com
mcfeeinsurance.com
hk-newbie.com
sportscolorslove.com
zabarofficial.com
seva.fund
lion-sales.com
jebwallet.app
appsrocky.top
viruceaseusa.com
aaronlea.design
lyftpassengerslawyers.com
defiacquisition.com
iuzswq.top
acreeksis.online
rkautomationservice.com
pkn910.com
sykdnxjxbyu.xyz
hegre-shaved-girls.com
scentwithluv.com
felix-froehlich.com
Signatures
-
Formbook payload 1 IoCs
resource yara_rule behavioral1/memory/1748-35-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
flow pid Process 4 1928 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2776 owen49674.exe 1748 owen49674.exe -
Loads dropped DLL 8 IoCs
pid Process 1928 EQNEDT32.EXE 1052 WerFault.exe 1052 WerFault.exe 1052 WerFault.exe 1052 WerFault.exe 1052 WerFault.exe 1052 WerFault.exe 1052 WerFault.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2776 set thread context of 1748 2776 owen49674.exe 35 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Program crash 1 IoCs
pid pid_target Process procid_target 1052 1748 WerFault.exe 35 -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 1928 EQNEDT32.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3986878123-1347213090-2173403696-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3986878123-1347213090-2173403696-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3986878123-1347213090-2173403696-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3986878123-1347213090-2173403696-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3986878123-1347213090-2173403696-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3986878123-1347213090-2173403696-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3986878123-1347213090-2173403696-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3986878123-1347213090-2173403696-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3986878123-1347213090-2173403696-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2112 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2112 WINWORD.EXE 2112 WINWORD.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1928 wrote to memory of 2776 1928 EQNEDT32.EXE 29 PID 1928 wrote to memory of 2776 1928 EQNEDT32.EXE 29 PID 1928 wrote to memory of 2776 1928 EQNEDT32.EXE 29 PID 1928 wrote to memory of 2776 1928 EQNEDT32.EXE 29 PID 2112 wrote to memory of 2020 2112 WINWORD.EXE 32 PID 2112 wrote to memory of 2020 2112 WINWORD.EXE 32 PID 2112 wrote to memory of 2020 2112 WINWORD.EXE 32 PID 2112 wrote to memory of 2020 2112 WINWORD.EXE 32 PID 2776 wrote to memory of 1748 2776 owen49674.exe 35 PID 2776 wrote to memory of 1748 2776 owen49674.exe 35 PID 2776 wrote to memory of 1748 2776 owen49674.exe 35 PID 2776 wrote to memory of 1748 2776 owen49674.exe 35 PID 2776 wrote to memory of 1748 2776 owen49674.exe 35 PID 2776 wrote to memory of 1748 2776 owen49674.exe 35 PID 2776 wrote to memory of 1748 2776 owen49674.exe 35 PID 1748 wrote to memory of 1052 1748 owen49674.exe 36 PID 1748 wrote to memory of 1052 1748 owen49674.exe 36 PID 1748 wrote to memory of 1052 1748 owen49674.exe 36 PID 1748 wrote to memory of 1052 1748 owen49674.exe 36
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Quotation_Oct23.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2020
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Roaming\owen49674.exe"C:\Users\Admin\AppData\Roaming\owen49674.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Roaming\owen49674.exe"C:\Users\Admin\AppData\Roaming\owen49674.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 364⤵
- Loads dropped DLL
- Program crash
PID:1052
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5871bdeeaa0e0ca01ea7e83fc44c3d866
SHA1e4695954d144a468916910f756633ce67f06be70
SHA256cbc77d4628643555977db145b581ff9ef2926d181926b4c61ca8b15e46277e41
SHA512cdda68f2cd5d024657b4bafd1380e8e016bc0d56ff54b891b42231b6a52adcee2b967390a4d71f8e6ed996af56cc14b3c89f1d4344dc16d836fcba62260a2b3b
-
Filesize
656KB
MD5fe3629f841657d1ae164d8350eef1009
SHA1a9026e2e80aaa7393a7e4dd2a39acc64d19ead0a
SHA2562fd50e5697f2d8aa6f9bea9d946b1fbf6145aedd6cca90ee4032cbbae229e934
SHA512b5f85e540c21bfbd363be902a4c9cf4662181534d855b497bfd9d1af1671d0f0f981661e1e71fa93c7177071048affc69ae86f16fe45fbdbc0fbc13a4f0cc738
-
Filesize
656KB
MD5fe3629f841657d1ae164d8350eef1009
SHA1a9026e2e80aaa7393a7e4dd2a39acc64d19ead0a
SHA2562fd50e5697f2d8aa6f9bea9d946b1fbf6145aedd6cca90ee4032cbbae229e934
SHA512b5f85e540c21bfbd363be902a4c9cf4662181534d855b497bfd9d1af1671d0f0f981661e1e71fa93c7177071048affc69ae86f16fe45fbdbc0fbc13a4f0cc738
-
Filesize
656KB
MD5fe3629f841657d1ae164d8350eef1009
SHA1a9026e2e80aaa7393a7e4dd2a39acc64d19ead0a
SHA2562fd50e5697f2d8aa6f9bea9d946b1fbf6145aedd6cca90ee4032cbbae229e934
SHA512b5f85e540c21bfbd363be902a4c9cf4662181534d855b497bfd9d1af1671d0f0f981661e1e71fa93c7177071048affc69ae86f16fe45fbdbc0fbc13a4f0cc738
-
Filesize
656KB
MD5fe3629f841657d1ae164d8350eef1009
SHA1a9026e2e80aaa7393a7e4dd2a39acc64d19ead0a
SHA2562fd50e5697f2d8aa6f9bea9d946b1fbf6145aedd6cca90ee4032cbbae229e934
SHA512b5f85e540c21bfbd363be902a4c9cf4662181534d855b497bfd9d1af1671d0f0f981661e1e71fa93c7177071048affc69ae86f16fe45fbdbc0fbc13a4f0cc738
-
Filesize
656KB
MD5fe3629f841657d1ae164d8350eef1009
SHA1a9026e2e80aaa7393a7e4dd2a39acc64d19ead0a
SHA2562fd50e5697f2d8aa6f9bea9d946b1fbf6145aedd6cca90ee4032cbbae229e934
SHA512b5f85e540c21bfbd363be902a4c9cf4662181534d855b497bfd9d1af1671d0f0f981661e1e71fa93c7177071048affc69ae86f16fe45fbdbc0fbc13a4f0cc738
-
Filesize
656KB
MD5fe3629f841657d1ae164d8350eef1009
SHA1a9026e2e80aaa7393a7e4dd2a39acc64d19ead0a
SHA2562fd50e5697f2d8aa6f9bea9d946b1fbf6145aedd6cca90ee4032cbbae229e934
SHA512b5f85e540c21bfbd363be902a4c9cf4662181534d855b497bfd9d1af1671d0f0f981661e1e71fa93c7177071048affc69ae86f16fe45fbdbc0fbc13a4f0cc738
-
Filesize
656KB
MD5fe3629f841657d1ae164d8350eef1009
SHA1a9026e2e80aaa7393a7e4dd2a39acc64d19ead0a
SHA2562fd50e5697f2d8aa6f9bea9d946b1fbf6145aedd6cca90ee4032cbbae229e934
SHA512b5f85e540c21bfbd363be902a4c9cf4662181534d855b497bfd9d1af1671d0f0f981661e1e71fa93c7177071048affc69ae86f16fe45fbdbc0fbc13a4f0cc738
-
Filesize
656KB
MD5fe3629f841657d1ae164d8350eef1009
SHA1a9026e2e80aaa7393a7e4dd2a39acc64d19ead0a
SHA2562fd50e5697f2d8aa6f9bea9d946b1fbf6145aedd6cca90ee4032cbbae229e934
SHA512b5f85e540c21bfbd363be902a4c9cf4662181534d855b497bfd9d1af1671d0f0f981661e1e71fa93c7177071048affc69ae86f16fe45fbdbc0fbc13a4f0cc738
-
Filesize
656KB
MD5fe3629f841657d1ae164d8350eef1009
SHA1a9026e2e80aaa7393a7e4dd2a39acc64d19ead0a
SHA2562fd50e5697f2d8aa6f9bea9d946b1fbf6145aedd6cca90ee4032cbbae229e934
SHA512b5f85e540c21bfbd363be902a4c9cf4662181534d855b497bfd9d1af1671d0f0f981661e1e71fa93c7177071048affc69ae86f16fe45fbdbc0fbc13a4f0cc738
-
Filesize
656KB
MD5fe3629f841657d1ae164d8350eef1009
SHA1a9026e2e80aaa7393a7e4dd2a39acc64d19ead0a
SHA2562fd50e5697f2d8aa6f9bea9d946b1fbf6145aedd6cca90ee4032cbbae229e934
SHA512b5f85e540c21bfbd363be902a4c9cf4662181534d855b497bfd9d1af1671d0f0f981661e1e71fa93c7177071048affc69ae86f16fe45fbdbc0fbc13a4f0cc738
-
Filesize
656KB
MD5fe3629f841657d1ae164d8350eef1009
SHA1a9026e2e80aaa7393a7e4dd2a39acc64d19ead0a
SHA2562fd50e5697f2d8aa6f9bea9d946b1fbf6145aedd6cca90ee4032cbbae229e934
SHA512b5f85e540c21bfbd363be902a4c9cf4662181534d855b497bfd9d1af1671d0f0f981661e1e71fa93c7177071048affc69ae86f16fe45fbdbc0fbc13a4f0cc738
-
Filesize
656KB
MD5fe3629f841657d1ae164d8350eef1009
SHA1a9026e2e80aaa7393a7e4dd2a39acc64d19ead0a
SHA2562fd50e5697f2d8aa6f9bea9d946b1fbf6145aedd6cca90ee4032cbbae229e934
SHA512b5f85e540c21bfbd363be902a4c9cf4662181534d855b497bfd9d1af1671d0f0f981661e1e71fa93c7177071048affc69ae86f16fe45fbdbc0fbc13a4f0cc738