b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a

Analysis

max time kernel
73s
max time network
67s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
28/04/2024, 10:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.exe
Size

5.5MB
MD5

89f2d62de50e6167bb21c08b9100081a
SHA1

497968e3a60f2b935c68ac7a921dd2ba885f7e3c
SHA256

b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a
SHA512

8fd290759c3d12d8bb04a337195915a56d32ad48697666816de8726ecbf14effbd6ecd1acb1ec0baf208f509523ccb871abfa2fbf366b61d524a4b63930603d6
SSDEEP

98304:skL47FxOCUcKRhz2hPzWJ9onPMkq1rYGvBxjlJDqAST+tDdSm:L4xwjcJhwonPMkCMUjlJDLST+Fr

Score

7^/10

discovery

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	text.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	text.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 51 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-POUED.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Dictionaries\is-FSMQL.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-MKNQ2.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-D6LJ7.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\is-3N3ML.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-T38QL.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-EP27B.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-O25VA.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Dictionaries\is-6OT5I.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-NNL8T.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-BTOIH.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-16I4K.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-S73SF.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-KEHIH.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-NTVPL.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-VR05M.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-13F8P.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\AutoRecover.tmp	text.exe
File opened for modification	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\text.exe	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-MR953.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\is-HJ6NN.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-AN2FL.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Dictionaries\is-0G8CH.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\reopen.txt	text.exe
File opened for modification	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\unins000.dat	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-MQ7OE.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-673TE.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-P2HBJ.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-ES7E6.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\is-DGGB5.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-216UM.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-UFVSK.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-NCCLO.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\caca.txt	text.exe
File opened for modification	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Hunspellx86.dll	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Dictionaries\is-MR5NQ.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-T95OG.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\is-E5GMV.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-F43KK.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\unins000.msg	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-LHMAP.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\settings.ini	text.exe
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\unins000.dat	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-PSOVS.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File opened for modification	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\settings.ini	text.exe
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-99ICG.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Dictionaries\is-S4MPE.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Dictionaries\is-9TLCM.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\chk.tmp	text.exe
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\is-8C6NR.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
File created	C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\is-6KMAO.tmp	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp

Executes dropped EXE 2 IoCs

pid	Process
4824	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
1436	text.exe

Loads dropped DLL 1 IoCs

pid	Process
1436	text.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	text.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	text.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	text.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	text.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	text.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	text.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	text.exe

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	text.exe
Key created	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	text.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	text.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	text.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	text.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	text.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	text.exe
Key created	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	text.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	text.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 66003100000000009c58605510005445585445447e3100004e0009000400efbe9c5857559c5861552e0000001aab0200000019000000000000000000000000000000888a0b01540065007800740020004500640069007400200050006c0075007300000018000000	text.exe
Key created	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	text.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	text.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	text.exe
Key created	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings	text.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	text.exe
Key created	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	text.exe
Key created	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	text.exe
Key created	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	text.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	text.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	text.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 56003100000000009c5857551000564f56534f465400400009000400efbe9c5857559c5857552e00000019ab0200000019000000000000000000000000000000ded48a0056004f00560053004f0046005400000016000000	text.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	text.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	text.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1"	text.exe
Key created	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy	text.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	text.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	text.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	text.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	text.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	text.exe
Key created	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	text.exe
Key created	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	text.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	text.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	text.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff	text.exe
Key created	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	text.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	text.exe
Key created	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	text.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 98003100000000009c585755110050524f4752417e320000800009000400efbec55259619c5857552e00000018040000000001000000000000000000560000000000ded48a00500072006f006700720061006d002000460069006c0065007300200028007800380036002900000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003700000018000000	text.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	text.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4824	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
4824	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4824	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1436	text.exe
1436	text.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3724 wrote to memory of 4824	3724	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.exe	80
PID 3724 wrote to memory of 4824	3724	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.exe	80
PID 3724 wrote to memory of 4824	3724	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.exe	80
PID 4824 wrote to memory of 1436	4824	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp	83
PID 4824 wrote to memory of 1436	4824	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp	83
PID 4824 wrote to memory of 1436	4824	b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp	83

C:\Users\Admin\AppData\Local\Temp\b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.exe
"C:\Users\Admin\AppData\Local\Temp\b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3724
- C:\Users\Admin\AppData\Local\Temp\is-6DUKP.tmp\b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-6DUKP.tmp\b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp" /SL5="$4021C,4613986,863744,C:\Users\Admin\AppData\Local\Temp\b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.exe"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Program Files (x86)\VOVSOFT\Text Edit Plus\text.exe
    "C:\Program Files (x86)\VOVSOFT\Text Edit Plus\text.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Dictionaries\de-DE.aff

Filesize
19KB

MD5
76317c324a9a74b8c9ae44c54ce4fef7

SHA1
655dadf424369d9cd0e4c8a4abda4b5f1c0b327f

SHA256
8c793108af5dd0b36e44ac465fff930ea801ee68f984b1498fbc2e8fb5826c7c

SHA512
8f5660d82001e2a21a9fca68f2f0e2847e9fe7ef9ad10f90f0c2dea893321c9ee9dbc42cd14e5594d484f3c982ed86997ab1798ba5d06633117eb1c4d116e79c

Download Submit
C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Dictionaries\de-DE.dic

Filesize
1.1MB

MD5
d8ed7d81e54256995fd35d533de59433

SHA1
0017fa1b1e55bb5ef193cfe9d1df14799e0670b2

SHA256
403bca188be2d006b8fc39d267308ebba70c2ba98762d93a8315edcda419708e

SHA512
f993bc69a20307ea67b9ab7fe0e51d0a8c4fc332e48fe740fbc4decc2b6137d10c10031b9572a9d1cbe058c21c186f6619e752f47344a0d8bd604481a001bad1

Download Submit
C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Dictionaries\en-GB.aff

Filesize
3KB

MD5
aad35cbffa5e1412c09c33d92d7e3bff

SHA1
7e2d0bc80dac3ce6d500012d1bda4d26ca784b20

SHA256
8ae1f19d4840d957728ad90555d5a8dff6cc5c046279c95ff0c00fc0a0136c7b

SHA512
37b919ca252992b879df2463a2240ac89833754a258af26150d2ee5df071e0fd6ff3c3a64e921655f25ba75816c4b5b380dc17eb10e6c7b0ceebb0484eabe2ca

Download Submit
C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Dictionaries\en-GB.dic

Filesize
539KB

MD5
1014117ff4e35330d286847556cb2ff3

SHA1
c6444dc3041c4a000306768dca7871fa5de71b42

SHA256
869fe17ba4ee4b5401c60a666ee2d6a3dcc237f460b7294435df1cc6a799aa57

SHA512
694362e55856542bafa7ce955160d9b370d3dc632729f77ceccb6f3bec1e6e683e61a8eb84486ac7265ec143b6f09aa8a943dbfeacde678869c93397361bc152

Download Submit
C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Dictionaries\en-US.aff

Filesize
3KB

MD5
eaae9bae63b305440b412a48e1653a26

SHA1
e22be4b305584c419dbfdad2f69bfa1bb181d239

SHA256
c7a8c4d08c29d237880844b1623099f59092602f189be38ce3912e457ff38bc1

SHA512
b18126f63bae384cd32786093f462a5dbc906e47a4a3b93c90e394a2282af2a0e3e9a817d0087659dcd951d61f5522cb1a498e208a626fa5738e236a62506406

Download Submit
C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Dictionaries\en-US.dic

Filesize
841KB

MD5
4f7da6beac49c854868a454d7d342fca

SHA1
395427f8bc434ffe5b1f2cf8105f798970a52031

SHA256
bb13c4e70e062f76183151b5359f345b74c295b4ca108cad7a2c2cba18d12349

SHA512
6914d5b56ab61df96828c721c83b3830432a1a340682828b873022ddb2b8dd7607facf2ae094f6fbb41f5959a6ab6ed2cce35799c0b39038c49d1191ad6339d4

Download Submit
C:\Program Files (x86)\VOVSOFT\Text Edit Plus\HunspellX86.dll

Filesize
432KB

MD5
86f0d7b28f18ac72a74011b9a25ca8ed

SHA1
b26fa8af206ff493d1d5f6e51677dd10e8094661

SHA256
e46e4f7682d525f9283de2b254f3cb86d06d24b5d1a91ec5d6c3e5201f161bd5

SHA512
f40e38b5b6e5aceb4fe66a7412b80c7745354b15d12e96964ab7652c48e2eae5f63b10903df060a1a4b03682a7b27abef8e90832d97ee90e0306959739773d08

Download Submit
C:\Program Files (x86)\VOVSOFT\Text Edit Plus\Languages\LanguageCodes.csv

Filesize
2KB

MD5
c8564b60ec82dbb158799c85667ab601

SHA1
f5fd2e6daf03e43149959fa8634332a7f4aab6a9

SHA256
11522e2b319b79146d6d4caf677d495bb39a4872f1fbf04db6a8554164f26b53

SHA512
cc83982d1fa855ee3ffdf49d1d72a2a84ed154a34800695444d11bb890ba2aff216cc50258ea28953801d38e8a6a6d64e450ac04163d2eb88588948f1ad9fb3d

Download Submit
C:\Program Files (x86)\VOVSOFT\Text Edit Plus\settings.ini

Filesize
133B

MD5
ee4327a18206325387778ea15a061baa

SHA1
50312f8b669920e73fc9962990878a4f3272ebd5

SHA256
7602b698d8e14c9f9fb4d90dd21b55302f2b1cefc4b2ce79284427cefa8dbdcf

SHA512
581536ec687708ad39d68872d0350b6ddf8ea2aea1b0fe9655b022b92d5c236bb43694c26b597c2b6bc5c9ea4462f5024567c44250fb86c14813f17107d00a21

Download Submit
C:\Program Files (x86)\VOVSOFT\Text Edit Plus\text.exe

Filesize
9.7MB

MD5
a9f7b337354e64d1b6cc5ddcbe062441

SHA1
ea94a712e4ebf925a3a8cd20f7a277f7f0e29ce2

SHA256
8f62b9d6208b8b149fcc00051cc0851771dbb702c8c1f321ddd48786025d571b

SHA512
f9467dc0a6aa3fe88df03622dde5d95a5655a691c548f3de8eb642a86614401914db7863d42895d2e3be85da485dc36dd9431043fe0667144024bcffc93c6e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6DUKP.tmp\b61577bb7256379c1b27c62dfabba0b4ad4aecdccf38071d1df41273f3bdce5a.tmp

Filesize
3.1MB

MD5
9a9cf7db87db4b95f53a552e3e7ee34d

SHA1
6cec5121067c60df60088a86cb8be29904169115

SHA256
68656800e67adfc973b1f0077d3351173a78fd83f72310ae4ebdcfe46dd1fa77

SHA512
0234147a8fa9206ebfed19f92a2244ca1fad6ccd5e8a447fa78b9d3d5e7294ccf13eab55b02c9899125b2903040c9c6cab88d1ad1d8bd567ae633ab03c886823

Download Submit
memory/1436-113-0x0000000003040000-0x0000000003041000-memory.dmp

Filesize
4KB

Download
memory/1436-137-0x0000000003040000-0x0000000003041000-memory.dmp

Filesize
4KB

Download
memory/1436-136-0x0000000000400000-0x0000000000E29000-memory.dmp

Filesize
10.2MB

Download
memory/1436-129-0x0000000000400000-0x0000000000E29000-memory.dmp

Filesize
10.2MB

Download
memory/3724-125-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3724-8-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3724-0-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3724-2-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4824-6-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/4824-123-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4824-112-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/4824-9-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4824-107-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download