0e4554928c58499fee3ecbf94846ef961957ed91a0d18c675d73dad6c9cb3de6

Analysis

max time kernel
28s
max time network
18s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23-05-2024 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lol.exe
Size

3.6MB
MD5

20bed1337f3a4fac4127076ad1a1fa67
SHA1

fe648d3c6f275b81080d1f30068f423cdb4a8a7a
SHA256

0e4554928c58499fee3ecbf94846ef961957ed91a0d18c675d73dad6c9cb3de6
SHA512

9da7adc1d495716ce6e1d5cfd78401fcafe32e92f59f377b4bd4c89c2f6d2754b9320d2ab59e48a02ed30f4ee65e7bf5d084d33d673a08e8c1b4a84e0716dd2b
SSDEEP

49152:WoGapAv1vYjUbQgvdkMgl2Zu7jfWL2ntzMqS1MhGc:WoGapAv1vYjWSMy7PlnVw1sB

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ggiupjyyoz.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ggiupjyyoz.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ggiupjyyoz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ggiupjyyoz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	ggiupjyyoz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ggiupjyyoz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ggiupjyyoz.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ggiupjyyoz.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
5000	loader.exe
4452	ac3.exe
4972	jaffa.exe
1812	jkka.exe
1240	ggiupjyyoz.exe
648	rmjetilpwducljq.exe
1044	pomnzbik.exe
4008	oyetdqabhlzyg.exe
4652	pomnzbik.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1224	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ggiupjyyoz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ggiupjyyoz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	ggiupjyyoz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ggiupjyyoz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	ggiupjyyoz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ggiupjyyoz.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\erpxrutv = "ggiupjyyoz.exe"	rmjetilpwducljq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\glzxqmco = "rmjetilpwducljq.exe"	rmjetilpwducljq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "oyetdqabhlzyg.exe"	rmjetilpwducljq.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\q:	ggiupjyyoz.exe
File opened (read-only)	\??\z:	pomnzbik.exe
File opened (read-only)	\??\a:	pomnzbik.exe
File opened (read-only)	\??\n:	pomnzbik.exe
File opened (read-only)	\??\v:	ggiupjyyoz.exe
File opened (read-only)	\??\r:	pomnzbik.exe
File opened (read-only)	\??\s:	pomnzbik.exe
File opened (read-only)	\??\x:	pomnzbik.exe
File opened (read-only)	\??\i:	ggiupjyyoz.exe
File opened (read-only)	\??\k:	pomnzbik.exe
File opened (read-only)	\??\r:	pomnzbik.exe
File opened (read-only)	\??\j:	ggiupjyyoz.exe
File opened (read-only)	\??\x:	ggiupjyyoz.exe
File opened (read-only)	\??\z:	ggiupjyyoz.exe
File opened (read-only)	\??\l:	pomnzbik.exe
File opened (read-only)	\??\n:	pomnzbik.exe
File opened (read-only)	\??\p:	pomnzbik.exe
File opened (read-only)	\??\h:	pomnzbik.exe
File opened (read-only)	\??\g:	pomnzbik.exe
File opened (read-only)	\??\t:	pomnzbik.exe
File opened (read-only)	\??\n:	ggiupjyyoz.exe
File opened (read-only)	\??\p:	ggiupjyyoz.exe
File opened (read-only)	\??\a:	pomnzbik.exe
File opened (read-only)	\??\j:	pomnzbik.exe
File opened (read-only)	\??\s:	ggiupjyyoz.exe
File opened (read-only)	\??\t:	ggiupjyyoz.exe
File opened (read-only)	\??\i:	pomnzbik.exe
File opened (read-only)	\??\l:	ggiupjyyoz.exe
File opened (read-only)	\??\o:	ggiupjyyoz.exe
File opened (read-only)	\??\q:	pomnzbik.exe
File opened (read-only)	\??\o:	pomnzbik.exe
File opened (read-only)	\??\u:	pomnzbik.exe
File opened (read-only)	\??\b:	ggiupjyyoz.exe
File opened (read-only)	\??\e:	ggiupjyyoz.exe
File opened (read-only)	\??\t:	pomnzbik.exe
File opened (read-only)	\??\e:	pomnzbik.exe
File opened (read-only)	\??\q:	pomnzbik.exe
File opened (read-only)	\??\g:	ggiupjyyoz.exe
File opened (read-only)	\??\y:	ggiupjyyoz.exe
File opened (read-only)	\??\e:	pomnzbik.exe
File opened (read-only)	\??\k:	ggiupjyyoz.exe
File opened (read-only)	\??\g:	pomnzbik.exe
File opened (read-only)	\??\m:	pomnzbik.exe
File opened (read-only)	\??\o:	pomnzbik.exe
File opened (read-only)	\??\w:	pomnzbik.exe
File opened (read-only)	\??\b:	pomnzbik.exe
File opened (read-only)	\??\i:	pomnzbik.exe
File opened (read-only)	\??\m:	pomnzbik.exe
File opened (read-only)	\??\v:	pomnzbik.exe
File opened (read-only)	\??\y:	pomnzbik.exe
File opened (read-only)	\??\z:	pomnzbik.exe
File opened (read-only)	\??\h:	ggiupjyyoz.exe
File opened (read-only)	\??\w:	ggiupjyyoz.exe
File opened (read-only)	\??\v:	pomnzbik.exe
File opened (read-only)	\??\l:	pomnzbik.exe
File opened (read-only)	\??\w:	pomnzbik.exe
File opened (read-only)	\??\k:	pomnzbik.exe
File opened (read-only)	\??\a:	ggiupjyyoz.exe
File opened (read-only)	\??\m:	ggiupjyyoz.exe
File opened (read-only)	\??\r:	ggiupjyyoz.exe
File opened (read-only)	\??\u:	ggiupjyyoz.exe
File opened (read-only)	\??\p:	pomnzbik.exe
File opened (read-only)	\??\s:	pomnzbik.exe
File opened (read-only)	\??\u:	pomnzbik.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	ggiupjyyoz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	ggiupjyyoz.exe

AutoIT Executable 12 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000700000001ac38-75.dat	autoit_exe
behavioral1/files/0x000700000001ac3a-93.dat	autoit_exe
behavioral1/memory/4972-94-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000800000001ac2c-111.dat	autoit_exe
behavioral1/files/0x000800000001ac2b-123.dat	autoit_exe
behavioral1/files/0x000800000001ac2d-133.dat	autoit_exe
behavioral1/files/0x000800000001ac2e-135.dat	autoit_exe
behavioral1/files/0x000700000001ac6f-347.dat	autoit_exe
behavioral1/files/0x000700000001ac70-353.dat	autoit_exe
behavioral1/files/0x000900000001ac61-484.dat	autoit_exe
behavioral1/files/0x000800000001ac45-526.dat	autoit_exe
behavioral1/files/0x000800000001ac45-528.dat	autoit_exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ggiupjyyoz.exe	jaffa.exe
File created	C:\Windows\SysWOW64\pomnzbik.exe	jaffa.exe
File created	\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe	pomnzbik.exe
File opened for modification	\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe	pomnzbik.exe
File opened for modification	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe	pomnzbik.exe
File opened for modification	C:\Windows\SysWOW64\rmjetilpwducljq.exe	jaffa.exe
File created	C:\Windows\SysWOW64\oyetdqabhlzyg.exe	jaffa.exe
File created	C:\Windows\SysWOW64\rmjetilpwducljq.exe	jaffa.exe
File opened for modification	C:\Windows\SysWOW64\oyetdqabhlzyg.exe	jaffa.exe
File opened for modification	\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe	pomnzbik.exe
File created	C:\Windows\SysWOW64\ggiupjyyoz.exe	jaffa.exe
File opened for modification	C:\Windows\SysWOW64\pomnzbik.exe	jaffa.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	ggiupjyyoz.exe
File opened for modification	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe	pomnzbik.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal	pomnzbik.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe	pomnzbik.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe	pomnzbik.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal	pomnzbik.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe	pomnzbik.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe	pomnzbik.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe	pomnzbik.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe	pomnzbik.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal	pomnzbik.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe	pomnzbik.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe	pomnzbik.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe	pomnzbik.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe	pomnzbik.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal	pomnzbik.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\mydoc.rtf	jaffa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Kills process with taskkill 3 IoCs

evasion

pid	Process
1884	taskkill.exe
436	taskkill.exe
2892	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 21 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9BA203D9-190B-11EF-ABE2-6EF3773CDC0A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECBB15A47E339EC52C4BAD0329CD7CD"	jaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183EC67D1491DBB3B9BC7CE9EDE434C6"	jaffa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	ggiupjyyoz.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	ggiupjyyoz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	ggiupjyyoz.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 983620615f54bf01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a48be95d18adda01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	ggiupjyyoz.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	ggiupjyyoz.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	jaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	ggiupjyyoz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	ggiupjyyoz.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000b616e051a0b2b0d4f84a6a89233e6b805e30cfb5b4f59e78a5d1acb0d3b9bb4a3e8dd52a0b6fe4e0a6b51258886f4b6b124686b1f45b42d6df7e	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2668	WINWORD.EXE
2668	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4972	jaffa.exe
4972	jaffa.exe
4972	jaffa.exe
4972	jaffa.exe
4972	jaffa.exe
4972	jaffa.exe
4972	jaffa.exe
4972	jaffa.exe
4972	jaffa.exe
4972	jaffa.exe
4972	jaffa.exe
4972	jaffa.exe
4972	jaffa.exe
4972	jaffa.exe
4972	jaffa.exe
4972	jaffa.exe
1240	ggiupjyyoz.exe
1240	ggiupjyyoz.exe
1240	ggiupjyyoz.exe
1240	ggiupjyyoz.exe
1240	ggiupjyyoz.exe
1240	ggiupjyyoz.exe
1240	ggiupjyyoz.exe
1240	ggiupjyyoz.exe
1240	ggiupjyyoz.exe
1240	ggiupjyyoz.exe
4008	oyetdqabhlzyg.exe
4008	oyetdqabhlzyg.exe
4008	oyetdqabhlzyg.exe
4008	oyetdqabhlzyg.exe
4008	oyetdqabhlzyg.exe
4008	oyetdqabhlzyg.exe
4008	oyetdqabhlzyg.exe
4008	oyetdqabhlzyg.exe
4008	oyetdqabhlzyg.exe
4008	oyetdqabhlzyg.exe
4008	oyetdqabhlzyg.exe
4008	oyetdqabhlzyg.exe
1044	pomnzbik.exe
1044	pomnzbik.exe
1044	pomnzbik.exe
1044	pomnzbik.exe
1044	pomnzbik.exe
1044	pomnzbik.exe
1044	pomnzbik.exe
1044	pomnzbik.exe
648	rmjetilpwducljq.exe
648	rmjetilpwducljq.exe
648	rmjetilpwducljq.exe
648	rmjetilpwducljq.exe
648	rmjetilpwducljq.exe
648	rmjetilpwducljq.exe
648	rmjetilpwducljq.exe
648	rmjetilpwducljq.exe
648	rmjetilpwducljq.exe
648	rmjetilpwducljq.exe
4652	pomnzbik.exe
4652	pomnzbik.exe
4652	pomnzbik.exe
4652	pomnzbik.exe
4652	pomnzbik.exe
4652	pomnzbik.exe
4652	pomnzbik.exe
4652	pomnzbik.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1776	MicrosoftEdgeCP.exe
1776	MicrosoftEdgeCP.exe
1776	MicrosoftEdgeCP.exe
1776	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	436	taskkill.exe
Token: SeDebugPrivilege	2892	taskkill.exe
Token: SeDebugPrivilege	1884	taskkill.exe
Token: SeSystemtimePrivilege	4828	cmd.exe
Token: SeSystemtimePrivilege	4828	cmd.exe
Token: SeDebugPrivilege	5060	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5060	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5060	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5060	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2252	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2252	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2252	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2252	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	792	MicrosoftEdge.exe
Token: SeDebugPrivilege	792	MicrosoftEdge.exe

Suspicious use of FindShellTrayWindow 19 IoCs

pid	Process
4980	iexplore.exe
4972	jaffa.exe
4972	jaffa.exe
4972	jaffa.exe
4008	oyetdqabhlzyg.exe
648	rmjetilpwducljq.exe
1240	ggiupjyyoz.exe
4008	oyetdqabhlzyg.exe
1044	pomnzbik.exe
648	rmjetilpwducljq.exe
1240	ggiupjyyoz.exe
4008	oyetdqabhlzyg.exe
1044	pomnzbik.exe
648	rmjetilpwducljq.exe
1240	ggiupjyyoz.exe
1044	pomnzbik.exe
4652	pomnzbik.exe
4652	pomnzbik.exe
4652	pomnzbik.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
4972	jaffa.exe
4972	jaffa.exe
4972	jaffa.exe
4008	oyetdqabhlzyg.exe
648	rmjetilpwducljq.exe
1240	ggiupjyyoz.exe
4008	oyetdqabhlzyg.exe
1044	pomnzbik.exe
648	rmjetilpwducljq.exe
1240	ggiupjyyoz.exe
4008	oyetdqabhlzyg.exe
1044	pomnzbik.exe
648	rmjetilpwducljq.exe
1240	ggiupjyyoz.exe
1044	pomnzbik.exe
4652	pomnzbik.exe
4652	pomnzbik.exe
4652	pomnzbik.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
792	MicrosoftEdge.exe
1776	MicrosoftEdgeCP.exe
4980	iexplore.exe
4980	iexplore.exe
3356	IEXPLORE.EXE
3356	IEXPLORE.EXE
5060	MicrosoftEdgeCP.exe
1776	MicrosoftEdgeCP.exe
2668	WINWORD.EXE
2668	WINWORD.EXE
2668	WINWORD.EXE
2668	WINWORD.EXE
2668	WINWORD.EXE
2668	WINWORD.EXE
2668	WINWORD.EXE

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 5000	1680	lol.exe	72
PID 1680 wrote to memory of 5000	1680	lol.exe	72
PID 5000 wrote to memory of 3820	5000	loader.exe	74
PID 5000 wrote to memory of 3820	5000	loader.exe	74
PID 3820 wrote to memory of 4828	3820	cmd.exe	76
PID 3820 wrote to memory of 4828	3820	cmd.exe	76
PID 4828 wrote to memory of 1160	4828	cmd.exe	81
PID 4828 wrote to memory of 1160	4828	cmd.exe	81
PID 4828 wrote to memory of 4980	4828	cmd.exe	82
PID 4828 wrote to memory of 4980	4828	cmd.exe	82
PID 4828 wrote to memory of 436	4828	cmd.exe	85
PID 4828 wrote to memory of 436	4828	cmd.exe	85
PID 4980 wrote to memory of 3356	4980	iexplore.exe	87
PID 4980 wrote to memory of 3356	4980	iexplore.exe	87
PID 4980 wrote to memory of 3356	4980	iexplore.exe	87
PID 4828 wrote to memory of 2892	4828	cmd.exe	89
PID 4828 wrote to memory of 2892	4828	cmd.exe	89
PID 4828 wrote to memory of 4452	4828	cmd.exe	90
PID 4828 wrote to memory of 4452	4828	cmd.exe	90
PID 4828 wrote to memory of 4452	4828	cmd.exe	90
PID 4828 wrote to memory of 1884	4828	cmd.exe	92
PID 4828 wrote to memory of 1884	4828	cmd.exe	92
PID 4828 wrote to memory of 1224	4828	cmd.exe	93
PID 4828 wrote to memory of 1224	4828	cmd.exe	93
PID 4828 wrote to memory of 4972	4828	cmd.exe	94
PID 4828 wrote to memory of 4972	4828	cmd.exe	94
PID 4828 wrote to memory of 4972	4828	cmd.exe	94
PID 4828 wrote to memory of 2760	4828	cmd.exe	95
PID 4828 wrote to memory of 2760	4828	cmd.exe	95
PID 4828 wrote to memory of 1812	4828	cmd.exe	96
PID 4828 wrote to memory of 1812	4828	cmd.exe	96
PID 4828 wrote to memory of 1812	4828	cmd.exe	96
PID 4972 wrote to memory of 1240	4972	jaffa.exe	97
PID 4972 wrote to memory of 1240	4972	jaffa.exe	97
PID 4972 wrote to memory of 1240	4972	jaffa.exe	97
PID 4972 wrote to memory of 648	4972	jaffa.exe	98
PID 4972 wrote to memory of 648	4972	jaffa.exe	98
PID 4972 wrote to memory of 648	4972	jaffa.exe	98
PID 4972 wrote to memory of 1044	4972	jaffa.exe	99
PID 4972 wrote to memory of 1044	4972	jaffa.exe	99
PID 4972 wrote to memory of 1044	4972	jaffa.exe	99
PID 4972 wrote to memory of 4008	4972	jaffa.exe	100
PID 4972 wrote to memory of 4008	4972	jaffa.exe	100
PID 4972 wrote to memory of 4008	4972	jaffa.exe	100
PID 4972 wrote to memory of 2668	4972	jaffa.exe	101
PID 4972 wrote to memory of 2668	4972	jaffa.exe	101
PID 1776 wrote to memory of 2252	1776	MicrosoftEdgeCP.exe	91
PID 1776 wrote to memory of 2252	1776	MicrosoftEdgeCP.exe	91
PID 1776 wrote to memory of 2252	1776	MicrosoftEdgeCP.exe	91
PID 1776 wrote to memory of 2252	1776	MicrosoftEdgeCP.exe	91
PID 1240 wrote to memory of 4652	1240	ggiupjyyoz.exe	102
PID 1240 wrote to memory of 4652	1240	ggiupjyyoz.exe	102
PID 1240 wrote to memory of 4652	1240	ggiupjyyoz.exe	102

C:\Users\Admin\AppData\Local\Temp\lol.exe
"C:\Users\Admin\AppData\Local\Temp\lol.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\Desktop\lol_12dd142f-9da1-430b-a002-d8053cea3a30\loader.exe
  "C:\Users\Admin\Desktop\lol_12dd142f-9da1-430b-a002-d8053cea3a30\loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\lol_12dd142f-9da1-430b-a002-d8053cea3a30\temp.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K main.cmd
      4⤵
      Checks computer location settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4828
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\lol_12dd142f-9da1-430b-a002-d8053cea3a30\helper.vbs"
        5⤵
        
        PID:1160
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\lol_12dd142f-9da1-430b-a002-d8053cea3a30\spinner.gif
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4980
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4980 CREDAT:82945 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3356
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:436
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
    - - C:\Users\Admin\Desktop\lol_12dd142f-9da1-430b-a002-d8053cea3a30\ac3.exe
        
        ac3.exe
        5⤵
        Executes dropped EXE
        
        PID:4452
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im fontdrvhost
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
    - - C:\Windows\system32\icacls.exe
        
        icacls c:\Windows\explorer.exe /grant Admin:(F,M)
        5⤵
        Modifies file permissions
        
        PID:1224
    - - C:\Users\Admin\Desktop\lol_12dd142f-9da1-430b-a002-d8053cea3a30\jaffa.exe
        
        jaffa.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4972
      - C:\Windows\SysWOW64\ggiupjyyoz.exe
        
        ggiupjyyoz.exe
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Windows security bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Windows security modification
        Enumerates connected drives
        Modifies WinLogon
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\pomnzbik.exe
        
        C:\Windows\system32\pomnzbik.exe
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4652
      - C:\Windows\SysWOW64\rmjetilpwducljq.exe
        
        rmjetilpwducljq.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:648
      - C:\Windows\SysWOW64\pomnzbik.exe
        
        pomnzbik.exe
        6⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1044
      - C:\Windows\SysWOW64\oyetdqabhlzyg.exe
        
        oyetdqabhlzyg.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4008
      - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
        6⤵
        Drops file in Windows directory
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of SetWindowsHookEx
        
        PID:2668
    - - C:\Windows\system32\iexpress.exe
        
        IEXPRESS.exe
        5⤵
        
        PID:2760
    - - C:\Users\Admin\Desktop\lol_12dd142f-9da1-430b-a002-d8053cea3a30\jkka.exe
        
        jkka.exe
        5⤵
        Executes dropped EXE
        
        PID:1812

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:792

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4144

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5060

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
fa16d830192b18316780850f90a4b276

SHA1
790e197e6ae516b8a1757d2b8f5bebc48fb04d57

SHA256
07c4e9487f4ddbf600ca5b931e079c8fec46edcf7c933a5c195a37a88749db60

SHA512
1a8ce322193a309a8943d6a0793f4507e57a16a5ac3b4fbda07a458603d3f8e40e51d7b3c373307ef7d8b4886073fb41bc374483525b8d53cdcc955d5b5261d9

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
3f8a3df2da982ea823359ac55b5c0152

SHA1
776fff95570956530fd8edba542779c06a429698

SHA256
7b51d5d0e15518cd2d7424aa98866ccb6beda389dd1598fb2e5fb4e0490665c2

SHA512
7b9f2808fee012b7e0fc1725ec48b0ce1abe1049f76f0f4e9d05e41ea2d8b9424da0e9d3cbfcfe85f1f37126d5e4fa41d1aaeb9b6d0d895b69a6aafd03393ad7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF07074EFD75308E3C.TMP

Filesize
16KB

MD5
dbc2266782260562589fb2dc039ca8b9

SHA1
6587bafc135b7fa4b32cfedbe199441769ca7ece

SHA256
b96c0ad9cb537c5a04d5d349132d41817c17aac6ca4810b744818bdaf072036c

SHA512
fa498211113920ab0671a7ef92a9c977d3417123eeb1d5a07c371541f3f3b873b2e09dc5b0558552d88276e708fd84d47dac041e8682492227fffd1b90e8d1e1

Download Submit
C:\Users\Admin\AppData\Roaming\InvokeExport.doc.exe

Filesize
512KB

MD5
795f4ec1e2137466044624feef4711d4

SHA1
417ed4d5fdf1e2867d61e7b09dda1385581abee1

SHA256
e705a2c8a9aaf19b4e1b5b30bc4a005ea79c5f25f387267b0d07967327172f30

SHA512
bc58a4a7d64e38fd7d7933e99227a38fbe2d352ac815544c5f400897fe37ad84bfc1a213bac240a4096fc9890e26748a8fa9a1ce03cfb7784dbca0aa7e902627

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
251B

MD5
3ccf5b18b0135f854f44b7eb81d2b08c

SHA1
80731b88813d1bc5a87ef4a6bf35c72b237f8a3c

SHA256
8e0a77f187ed73b03ae432e9c0f05fd99c283902e12835af668746784cc58f50

SHA512
4a1be3e7e5fbeb7c2761e5333c64b8862e27bd7801644e363a0299bb17ae3d3671416070acc46461f8f346b8590a44d41e06b728b1de1b23955ff946de6423b9

Download Submit
C:\Users\Admin\Desktop\lol_12dd142f-9da1-430b-a002-d8053cea3a30\ac3.exe

Filesize
844KB

MD5
7ecfc8cd7455dd9998f7dad88f2a8a9d

SHA1
1751d9389adb1e7187afa4938a3559e58739dce6

SHA256
2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e

SHA512
cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d

Download Submit
C:\Users\Admin\Desktop\lol_12dd142f-9da1-430b-a002-d8053cea3a30\helper.vbs

Filesize
26B

MD5
7a97744bc621cf22890e2aebd10fd5c8

SHA1
1147c8df448fe73da6aa6c396c5c53457df87620

SHA256
153fed1733e81de7f9d221a1584a78999baa93bc8697500d8923550c774ed709

SHA512
89c73b73d4b52cf8e940fa2f1580fdc89f902b1eeb4b2abc17f09229a6130532a08cdb91205b9813a65cb7cd31ca020fe728b03d9a0fabb71131864c2966f967

Download Submit
C:\Users\Admin\Desktop\lol_12dd142f-9da1-430b-a002-d8053cea3a30\jaffa.exe

Filesize
512KB

MD5
6b1b6c081780047b333e1e9fb8e473b6

SHA1
8c31629bd4a4ee29b7ec1e1487fed087f5e4b1de

SHA256
e649b6e4284404bfa04639b8bf06367777c48201ef27dcdc256fe59167935fac

SHA512
022d40c1801fa495c9298d896221c8eefbad342d41922df8d014f2f49c3fe7fa91d603e0ee0de6be6f2143f9e0c4a6756b19260166ebd62ec3e1c64ad22bc447

Download Submit
C:\Users\Admin\Desktop\lol_12dd142f-9da1-430b-a002-d8053cea3a30\jkka.exe

Filesize
1002KB

MD5
42e4b26357361615b96afde69a5f0cc3

SHA1
35346fe0787f14236296b469bf2fed5c24a1a53d

SHA256
e58a07965ef711fc60ab82ac805cfc3926e105460356dbbea532ba3d9f2080eb

SHA512
fb8a2f4a9f280c0e3c0bb979016c11ea217bae9cebd06f7f2b5ef7b8973b98128ebc2e5cf76b824d71b889fca4510111a79b177dab592f332131f0d6789673a5

Download Submit
C:\Users\Admin\Desktop\lol_12dd142f-9da1-430b-a002-d8053cea3a30\loader.exe

Filesize
5KB

MD5
3a66b8c04d1437b4c4da631053a76bb5

SHA1
bcf8f381932d376f3f8e53c82b2b13ff31ee097b

SHA256
c3aa0c8ff9e3c7e10bcd3829f3e63b4cf9c59eb4964a7576f3ef5fca50c77cdc

SHA512
b24f3fb34aa293293d4f7bef247ca746608cb9ae54d214492276e7ef0fe0032944ea082f2bbf42f200359d38ed2af69f51ef5f3cb969a0ffb7176b27e0279fcf

Download Submit
C:\Users\Admin\Desktop\lol_12dd142f-9da1-430b-a002-d8053cea3a30\main.cmd

Filesize
458B

MD5
988f9784a38c753cb2c3bf572c38f80a

SHA1
25076fbadfbca5f975ed3cecace2dfddc15a628c

SHA256
8a8259eb40890a16c4c99573798519edb2f0bfd2992642b3b7519d64f4e316fb

SHA512
661716a6be4152f6673dc7db623203c7540a9e7ec305a4a8a7395071900d6ef5b6353648d9747ab837138f7a16af02b135474650517f31c968fe7680d2ed0be5

Download Submit
C:\Users\Admin\Desktop\lol_12dd142f-9da1-430b-a002-d8053cea3a30\spinner.gif

Filesize
44KB

MD5
324f8384507560259aaa182eb0c7f94a

SHA1
3b86304767e541ddb32fdda2e9996d8dbeca16ed

SHA256
f48c4f9c5fc87e8d7679948439544a97f1539b423860e7c7470bd9b563aceab5

SHA512
cc1b61df496cfb7c51d268139c6853d05bace6f733bc13c757c87cd64a11933c3a673b97fba778e515a9ff5f8c4ea52e7091f3beda1d8452bc3f6b59382f300d

Download Submit
C:\Users\Admin\Desktop\lol_12dd142f-9da1-430b-a002-d8053cea3a30\temp.bat

Filesize
16B

MD5
683678b879bd775b775240fcb1cd495e

SHA1
10bc596b3d03e1ba328068305c8acee2745c731c

SHA256
64f28aef02c7fafbc9d80735a8b1d607c3996a2ddf9ba260d4c433c002efeaba

SHA512
3b2b9d231643a826183732a79489c6d2f4749ce25314c444364062c781627af59b572c082d811ae57a839cae94de77cf03eb81d99e1063e2191e884ccbaa0963

Download Submit
C:\Users\Admin\Desktop\lol_12dd142f-9da1-430b-a002-d8053cea3a30\web.htm

Filesize
176B

MD5
1fab717c517da1c27e82a93edddf9390

SHA1
24b6cfda27c15c1d01ba5718106c18687ed77397

SHA256
bd035700f060a35c394600cabf0cf04c031927786c97cf41c55d78dddeffa11c

SHA512
5452938fa310396ecacae8eab64bdae624f617e19c0d742e10e088befb686c205b8db9ccec7d9de1c9360f341db8a701d5b8c6c4eb20aaa1c2deb831ab09fab5

Download Submit
C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

Filesize
512KB

MD5
cb5601abb6286e63fb4e1fbd33ec59ce

SHA1
d1759b373ad939d69ec66d1db96b7add45a18c6c

SHA256
45df920e76cf8dc100953fb909977d12265b96b573ec5d8c30cfd386c0c27236

SHA512
92e104deddba4a4464bcc4d2374eeee3fc9aef3cfc44fa7b1089d5772144338a6df1f68ff1b2e53efa719fc64c84fdf31c287d78e156ea3d0783c26e23c52ebd

Download Submit
C:\Windows\SysWOW64\ggiupjyyoz.exe

Filesize
512KB

MD5
2e9e646174c559809542a03ae5e1f0a8

SHA1
a47d41f920a6f35f295f01e97ada16d3ae69e4c6

SHA256
cb32b7fe8f93c86884897791276e3e4a41d5eca2ec6353e5e116d788580bd6a8

SHA512
1ebddfe6bf3e0482ddd8fc9cea0ee8cc6ca528a61896a1dafc989d69053ad2abe31cd568450ca96d88610beb483a1391eea5e85229f082324384e2094e52bfd9

Download Submit
C:\Windows\SysWOW64\oyetdqabhlzyg.exe

Filesize
512KB

MD5
5c450f8d76a5925c7798452eb9d67a7b

SHA1
4c06bbd70b0809c556cba079fab28cda570ece35

SHA256
05f524589b614a77ef17b66246143cd7dcc6a858aac06521c4f47b4f34e01844

SHA512
1e649dd6683445b493605b9ab29c2937be085dd4db9a334764b6bcc536b1adbbd4b2365be5ebc33de240115cf9f58d611cd50da8fac00c940c4ba33979197867

Download Submit
C:\Windows\SysWOW64\pomnzbik.exe

Filesize
512KB

MD5
c9dfc5d1ccc16bac53d80b35fba0645f

SHA1
3f8e837cedf6654adbfaacf41dfa8031e3703264

SHA256
96ed8ad1999673646032cc2bb2f73b586bcd2e23804619e88ed76fba9d9a94aa

SHA512
7602810dda2d23fdf39c5f1dc34177ff9ff61794632abb6a7e4983b009ca75c0d3ae283fe5b10499a799f4fba25a614bc554c3acd00b52a5bf66bd65a28ac91d

Download Submit
C:\Windows\SysWOW64\rmjetilpwducljq.exe

Filesize
512KB

MD5
7d627df102fc137837c4fec18b04f3c0

SHA1
cfdac957dadb4323bcade06a3583920f5e2d4fd0

SHA256
adb1b1330c39fdb08b284f2b8ec967587bdde799db9612d11db1c21a74b0bb83

SHA512
f51406285a21e25c33ea61b65d1dd222f71a7a5608eca5fbf3fd6a39e61cacdcdaa164706baefc5113bcad38f9726de59a148a7f91b3f288cca45f3257e8d6c3

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

Filesize
512KB

MD5
4824592c28a403fd2661fdcb07856e76

SHA1
f71f8474fb18203c724f8cf01c7ebd958502f4d8

SHA256
5d453b29d2cc158e195551d8076fd22cd878e42116f150bf1468199f4984dcdc

SHA512
25256d31830059cf07a59b45a40ea2f1fb3d2f5af18cd9cb3bab3800e21fbf077e02ec059b87ed12ef99f84bd9f30ed8ab3a9538a4a9cd9b08816d88876ad8ca

Download Submit
memory/792-511-0x0000029EC04F0000-0x0000029EC04F1000-memory.dmp

Filesize
4KB

Download
memory/792-66-0x0000029EC04C0000-0x0000029EC04C2000-memory.dmp

Filesize
8KB

Download
memory/792-47-0x0000029EC3120000-0x0000029EC3130000-memory.dmp

Filesize
64KB

Download
memory/792-508-0x0000029EC21A0000-0x0000029EC21A2000-memory.dmp

Filesize
8KB

Download
memory/792-31-0x0000029EC3020000-0x0000029EC3030000-memory.dmp

Filesize
64KB

Download
memory/792-515-0x0000029EC04B0000-0x0000029EC04B1000-memory.dmp

Filesize
4KB

Download
memory/1680-4-0x0000000005A20000-0x0000000005F1E000-memory.dmp

Filesize
5.0MB

Download
memory/1680-0-0x000000007387E000-0x000000007387F000-memory.dmp

Filesize
4KB

Download
memory/1680-491-0x0000000073870000-0x0000000073F5E000-memory.dmp

Filesize
6.9MB

Download
memory/1680-490-0x000000007387E000-0x000000007387F000-memory.dmp

Filesize
4KB

Download
memory/1680-3-0x0000000073870000-0x0000000073F5E000-memory.dmp

Filesize
6.9MB

Download
memory/1680-2-0x0000000005450000-0x0000000005474000-memory.dmp

Filesize
144KB

Download
memory/1680-1-0x0000000000BA0000-0x0000000000C72000-memory.dmp

Filesize
840KB

Download
memory/1812-103-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/2252-149-0x0000024DE98E0000-0x0000024DE98E2000-memory.dmp

Filesize
8KB

Download
memory/2252-151-0x0000024DE9900000-0x0000024DE9902000-memory.dmp

Filesize
8KB

Download
memory/2252-98-0x0000024DD9310000-0x0000024DD9410000-memory.dmp

Filesize
1024KB

Download
memory/2252-155-0x0000024DE9940000-0x0000024DE9942000-memory.dmp

Filesize
8KB

Download
memory/2252-153-0x0000024DE9920000-0x0000024DE9922000-memory.dmp

Filesize
8KB

Download
memory/2668-476-0x00007FFA18EF0000-0x00007FFA18F00000-memory.dmp

Filesize
64KB

Download
memory/2668-164-0x00007FFA16120000-0x00007FFA16130000-memory.dmp

Filesize
64KB

Download
memory/2668-478-0x00007FFA18EF0000-0x00007FFA18F00000-memory.dmp

Filesize
64KB

Download
memory/2668-479-0x00007FFA18EF0000-0x00007FFA18F00000-memory.dmp

Filesize
64KB

Download
memory/2668-158-0x00007FFA18EF0000-0x00007FFA18F00000-memory.dmp

Filesize
64KB

Download
memory/2668-477-0x00007FFA18EF0000-0x00007FFA18F00000-memory.dmp

Filesize
64KB

Download
memory/2668-163-0x00007FFA16120000-0x00007FFA16130000-memory.dmp

Filesize
64KB

Download
memory/2668-159-0x00007FFA18EF0000-0x00007FFA18F00000-memory.dmp

Filesize
64KB

Download
memory/2668-160-0x00007FFA18EF0000-0x00007FFA18F00000-memory.dmp

Filesize
64KB

Download
memory/2668-157-0x00007FFA18EF0000-0x00007FFA18F00000-memory.dmp

Filesize
64KB

Download
memory/4972-94-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/5000-24-0x00007FFA3D300000-0x00007FFA3DCA0000-memory.dmp

Filesize
9.6MB

Download
memory/5000-519-0x00007FFA3D5B5000-0x00007FFA3D5B6000-memory.dmp

Filesize
4KB

Download
memory/5000-520-0x00007FFA3D300000-0x00007FFA3DCA0000-memory.dmp

Filesize
9.6MB

Download
memory/5000-22-0x00007FFA3D300000-0x00007FFA3DCA0000-memory.dmp

Filesize
9.6MB

Download
memory/5000-21-0x00007FFA3D5B5000-0x00007FFA3D5B6000-memory.dmp

Filesize
4KB

Download
memory/5060-88-0x0000022E8B900000-0x0000022E8BA00000-memory.dmp

Filesize
1024KB

Download