39a6f19fe835ddba6e650e13d2579f102574a984796094fab0d9ab7e12f031d8

Analysis

max time kernel
142s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39a6f19fe835ddba6e650e13d2579f102574a984796094fab0d9ab7e12f031d8.exe
Size

1.0MB
MD5

56cb4177698cacbaf3f194fbc133f3d5
SHA1

6b52cec6871d408f7e71584eea5ea08b103130ad
SHA256

39a6f19fe835ddba6e650e13d2579f102574a984796094fab0d9ab7e12f031d8
SHA512

c47813abaa38f4fd758e6d277311a3fcdac317cacee7a852461a10b2e2f90697f9eddfa325a257acc1d086b401770794f38af93ebd7327b006d46e647a171a4a
SSDEEP

12288:Mmhjxw7dUlzn3DSudvsh8Awf3XFaZmBITVJPtSrE37yG2LmxL5BwcyQVaE:Lhe7alj3DSudvGM3MXTVhtSQWGtxkPQF

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3064	onhzpfpufi.exe
2108	shzcwyrpdw.exe
2660	SearchUserHost.exe
1188	Explorer.EXE
1696	39a6f19fe835ddba6e650e13d2579f102574a984796094fab0d9ab7e12f031d8.exe
2880	bindsvc.exe

Loads dropped DLL 13 IoCs

pid	Process
1940	39a6f19fe835ddba6e650e13d2579f102574a984796094fab0d9ab7e12f031d8.exe
1940	39a6f19fe835ddba6e650e13d2579f102574a984796094fab0d9ab7e12f031d8.exe
1940	39a6f19fe835ddba6e650e13d2579f102574a984796094fab0d9ab7e12f031d8.exe
1940	39a6f19fe835ddba6e650e13d2579f102574a984796094fab0d9ab7e12f031d8.exe
2648	SearchIndexer.exe
2648	SearchIndexer.exe
2648	SearchIndexer.exe
2660	SearchUserHost.exe
1804	SearchProtocolHost.exe
3064	onhzpfpufi.exe
2108	shzcwyrpdw.exe
2108	shzcwyrpdw.exe
1236	SearchFilterHost.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000018671-13.dat	upx
behavioral1/memory/2108-21-0x0000000001350000-0x00000000014CA000-memory.dmp	upx
behavioral1/memory/1940-19-0x0000000003130000-0x00000000032AA000-memory.dmp	upx
behavioral1/memory/2108-296-0x0000000001350000-0x00000000014CA000-memory.dmp	upx

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2416	cmd.exe
3020	ARP.EXE

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\system32\oci.dll	shzcwyrpdw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File created	C:\Windows\System32\bindsvc.exe	shzcwyrpdw.exe
File created	C:\Windows\SysWOW64\racfg.exe	shzcwyrpdw.exe
File created	C:\Windows\SysWOW64\bindsvc.exe	shzcwyrpdw.exe
File created	C:\Windows\system32\msfte.dll	shzcwyrpdw.exe
File created	C:\Windows\system32\SearchUserHost.exe	SearchIndexer.exe
File opened for modification	C:\Windows\system32\SearchUserHost.exe	SearchIndexer.exe
File created	C:\Windows\SysWOW64\wideshut.exe	shzcwyrpdw.exe
File opened for modification	C:\Windows\SysWOW64\wideshut.exe	shzcwyrpdw.exe
File created	C:\Windows\SysWOW64\wimsvc.exe	shzcwyrpdw.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1920	tasklist.exe
1348	tasklist.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2284	sc.exe
2756	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	39a6f19fe835ddba6e650e13d2579f102574a984796094fab0d9ab7e12f031d8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shzcwyrpdw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onhzpfpufi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	39a6f19fe835ddba6e650e13d2579f102574a984796094fab0d9ab7e12f031d8.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2248	PING.EXE
1568	cmd.exe

System Network Connections Discovery 1 TTPs 2 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2688	cmd.exe
3028	NETSTAT.EXE

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1976	ipconfig.exe
3028	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2272	systeminfo.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\TipTsf.dll,-60 = "Enter text by using handwriting or a touch keyboard instead of a standard keyboard. You can use the writing pad or the character pad to convert your handwriting into typed text or the touch keyboard to enter characters."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\OobeFldr.dll,-33056 = "Getting Started"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wucltux.dll,-1 = "Windows Update"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000000913e3b3fcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501 = "Connect to a Network Projector"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101 = "Backup and Restore"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Filemgmt.dll,-602 = "Starts, stops, and configures Windows services."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204 = "Services"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Journal\Journal.exe,-3075 = "Create notes in your own handwriting. You can leave your notes in ink and search your handwriting or convert your notes to typed text."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\MdSched.exe,-4002 = "Check your computer for memory problems."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-101 = "Event Viewer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10300 = "Play the classic strategy game of Checkers against online opponents. Be the first to capture all your opponent’s pieces, or leave them with no more moves, to win the game."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Sidebar\sidebar.exe,-1012 = "Add Desktop Gadgets that display personalized slideshows, news feeds, and other customized information."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Sidebar\sidebar.exe,-1005 = "Desktop Gadget Gallery"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-101 = "Chrysanthemum"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10303 = "Enjoy the classic strategy game of Chess. Play against the computer, or compete against a friend. The winner is the first to capture the opponent’s king."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114 = "Windows Fax and Scan"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SNTSearch.dll,-505 = "Sticky Notes"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sdcpl.dll,-100 = "Backup and restore your files and system. Monitor latest backup status and configuration."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SoundRecorder.exe,-32790 = "Record sound and save it on your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\syswow64\unregmp2.exe,-155 = "Play digital media including music, videos, CDs, and DVDs."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4 = "Windows Media Player"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel"	SearchProtocolHost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2248	PING.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2648	SearchIndexer.exe
2648	SearchIndexer.exe
2660	SearchUserHost.exe
1920	tasklist.exe
1920	tasklist.exe
2108	shzcwyrpdw.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2648	SearchIndexer.exe
Token: 33	2648	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2648	SearchIndexer.exe
Token: SeDebugPrivilege	1920	tasklist.exe
Token: SeDebugPrivilege	3028	NETSTAT.EXE
Token: SeDebugPrivilege	1348	tasklist.exe
Token: SeDebugPrivilege	2660	SearchUserHost.exe
Token: SeDebugPrivilege	2660	SearchUserHost.exe
Token: SeDebugPrivilege	2660	SearchUserHost.exe
Token: SeDebugPrivilege	2660	SearchUserHost.exe
Token: SeDebugPrivilege	2660	SearchUserHost.exe
Token: SeDebugPrivilege	2660	SearchUserHost.exe
Token: SeDebugPrivilege	2660	SearchUserHost.exe
Token: SeDebugPrivilege	2660	SearchUserHost.exe
Token: SeDebugPrivilege	2660	SearchUserHost.exe
Token: SeDebugPrivilege	2660	SearchUserHost.exe
Token: SeDebugPrivilege	2660	SearchUserHost.exe
Token: SeDebugPrivilege	2660	SearchUserHost.exe
Token: SeDebugPrivilege	2660	SearchUserHost.exe
Token: SeDebugPrivilege	2660	SearchUserHost.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1804	SearchProtocolHost.exe
1804	SearchProtocolHost.exe
1804	SearchProtocolHost.exe
1804	SearchProtocolHost.exe
1804	SearchProtocolHost.exe
1804	SearchProtocolHost.exe
1804	SearchProtocolHost.exe
1804	SearchProtocolHost.exe
1804	SearchProtocolHost.exe
1804	SearchProtocolHost.exe
1804	SearchProtocolHost.exe
1804	SearchProtocolHost.exe
1804	SearchProtocolHost.exe
1804	SearchProtocolHost.exe
1804	SearchProtocolHost.exe
1804	SearchProtocolHost.exe
1804	SearchProtocolHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
1804	SearchProtocolHost.exe
1804	SearchProtocolHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe
2660	SearchUserHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 3064	1940	39a6f19fe835ddba6e650e13d2579f102574a984796094fab0d9ab7e12f031d8.exe	30
PID 1940 wrote to memory of 3064	1940	39a6f19fe835ddba6e650e13d2579f102574a984796094fab0d9ab7e12f031d8.exe	30
PID 1940 wrote to memory of 3064	1940	39a6f19fe835ddba6e650e13d2579f102574a984796094fab0d9ab7e12f031d8.exe	30
PID 1940 wrote to memory of 3064	1940	39a6f19fe835ddba6e650e13d2579f102574a984796094fab0d9ab7e12f031d8.exe	30
PID 1940 wrote to memory of 2108	1940	39a6f19fe835ddba6e650e13d2579f102574a984796094fab0d9ab7e12f031d8.exe	31
PID 1940 wrote to memory of 2108	1940	39a6f19fe835ddba6e650e13d2579f102574a984796094fab0d9ab7e12f031d8.exe	31
PID 1940 wrote to memory of 2108	1940	39a6f19fe835ddba6e650e13d2579f102574a984796094fab0d9ab7e12f031d8.exe	31
PID 1940 wrote to memory of 2108	1940	39a6f19fe835ddba6e650e13d2579f102574a984796094fab0d9ab7e12f031d8.exe	31
PID 2648 wrote to memory of 2660	2648	SearchIndexer.exe	33
PID 2648 wrote to memory of 2660	2648	SearchIndexer.exe	33
PID 2648 wrote to memory of 2660	2648	SearchIndexer.exe	33
PID 2660 wrote to memory of 1188	2660	SearchUserHost.exe	21
PID 2648 wrote to memory of 1804	2648	SearchIndexer.exe	34
PID 2648 wrote to memory of 1804	2648	SearchIndexer.exe	34
PID 2648 wrote to memory of 1804	2648	SearchIndexer.exe	34
PID 2648 wrote to memory of 1236	2648	SearchIndexer.exe	35
PID 2648 wrote to memory of 1236	2648	SearchIndexer.exe	35
PID 2648 wrote to memory of 1236	2648	SearchIndexer.exe	35
PID 1188 wrote to memory of 1972	1188	Explorer.EXE	36
PID 1188 wrote to memory of 1972	1188	Explorer.EXE	36
PID 1188 wrote to memory of 1972	1188	Explorer.EXE	36
PID 3064 wrote to memory of 1696	3064	onhzpfpufi.exe	37
PID 3064 wrote to memory of 1696	3064	onhzpfpufi.exe	37
PID 3064 wrote to memory of 1696	3064	onhzpfpufi.exe	37
PID 3064 wrote to memory of 1696	3064	onhzpfpufi.exe	37
PID 2660 wrote to memory of 2664	2660	SearchUserHost.exe	38
PID 2660 wrote to memory of 2664	2660	SearchUserHost.exe	38
PID 2660 wrote to memory of 2664	2660	SearchUserHost.exe	38
PID 2664 wrote to memory of 2272	2664	cmd.exe	40
PID 2664 wrote to memory of 2272	2664	cmd.exe	40
PID 2664 wrote to memory of 2272	2664	cmd.exe	40
PID 1188 wrote to memory of 2212	1188	Explorer.EXE	42
PID 1188 wrote to memory of 2212	1188	Explorer.EXE	42
PID 1188 wrote to memory of 2212	1188	Explorer.EXE	42
PID 2660 wrote to memory of 2476	2660	SearchUserHost.exe	44
PID 2660 wrote to memory of 2476	2660	SearchUserHost.exe	44
PID 2660 wrote to memory of 2476	2660	SearchUserHost.exe	44
PID 2476 wrote to memory of 1920	2476	cmd.exe	46
PID 2476 wrote to memory of 1920	2476	cmd.exe	46
PID 2476 wrote to memory of 1920	2476	cmd.exe	46
PID 2108 wrote to memory of 2696	2108	shzcwyrpdw.exe	47
PID 2108 wrote to memory of 2696	2108	shzcwyrpdw.exe	47
PID 2108 wrote to memory of 2696	2108	shzcwyrpdw.exe	47
PID 2108 wrote to memory of 2696	2108	shzcwyrpdw.exe	47
PID 2696 wrote to memory of 2284	2696	cmd.exe	49
PID 2696 wrote to memory of 2284	2696	cmd.exe	49
PID 2696 wrote to memory of 2284	2696	cmd.exe	49
PID 2108 wrote to memory of 2684	2108	shzcwyrpdw.exe	50
PID 2108 wrote to memory of 2684	2108	shzcwyrpdw.exe	50
PID 2108 wrote to memory of 2684	2108	shzcwyrpdw.exe	50
PID 2108 wrote to memory of 2684	2108	shzcwyrpdw.exe	50
PID 2108 wrote to memory of 2880	2108	shzcwyrpdw.exe	51
PID 2108 wrote to memory of 2880	2108	shzcwyrpdw.exe	51
PID 2108 wrote to memory of 2880	2108	shzcwyrpdw.exe	51
PID 2108 wrote to memory of 2880	2108	shzcwyrpdw.exe	51
PID 2660 wrote to memory of 2688	2660	SearchUserHost.exe	53
PID 2660 wrote to memory of 2688	2660	SearchUserHost.exe	53
PID 2660 wrote to memory of 2688	2660	SearchUserHost.exe	53
PID 2688 wrote to memory of 3028	2688	cmd.exe	55
PID 2688 wrote to memory of 3028	2688	cmd.exe	55
PID 2688 wrote to memory of 3028	2688	cmd.exe	55
PID 2660 wrote to memory of 1992	2660	SearchUserHost.exe	56
PID 2660 wrote to memory of 1992	2660	SearchUserHost.exe	56
PID 2660 wrote to memory of 1992	2660	SearchUserHost.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Local\Temp\39a6f19fe835ddba6e650e13d2579f102574a984796094fab0d9ab7e12f031d8.exe
  "C:\Users\Admin\AppData\Local\Temp\39a6f19fe835ddba6e650e13d2579f102574a984796094fab0d9ab7e12f031d8.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Users\Admin\AppData\Local\Temp\onhzpfpufi.exe
    "C:\Users\Admin\AppData\Local\Temp\onhzpfpufi.exe" "C:\Users\Admin\AppData\Local\Temp\itadrztdbr.exe" "C:\Users\Admin\AppData\Local\Temp\39a6f19fe835ddba6e650e13d2579f102574a984796094fab0d9ab7e12f031d8.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\39a6f19fe835ddba6e650e13d2579f102574a984796094fab0d9ab7e12f031d8.exe
      "C:\Users\Admin\AppData\Local\Temp\39a6f19fe835ddba6e650e13d2579f102574a984796094fab0d9ab7e12f031d8.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1696
- - C:\Users\Admin\AppData\Local\Temp\shzcwyrpdw.exe
    C:\Users\Admin\AppData\Local\Temp\shzcwyrpdw.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\System32\cmd.exe
      /c sc config msdtc obj= LocalSystem
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\system32\sc.exe
        
        sc config msdtc obj= LocalSystem
        5⤵
        Launches sc.exe
        
        PID:2284
  - - C:\Windows\system32\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\reKFAfqI.bat"
      4⤵
      PID:2684
  - - C:\Windows\System32\bindsvc.exe
      "C:\Windows\System32\bindsvc.exe"
      4⤵
      Executes dropped EXE
      PID:2880
- C:\Windows\System32\wscript.exe
  C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\Microsoft\Word\winword.vbs C:\Users\Admin\AppData\Roaming\Microsoft\Word
  2⤵
  PID:1972
- C:\Windows\System32\wscript.exe
  C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\Microsoft\Word\winword.vbs C:\Users\Admin\AppData\Roaming\Microsoft\Word
  2⤵
  PID:2212

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\system32\SearchUserHost.exe
  C:\Windows\system32\SearchUserHost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\system32\cmd.exe
    /c systeminfo
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2272
- - C:\Windows\system32\cmd.exe
    /c "tasklist /v"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\system32\tasklist.exe
      tasklist /v
      4⤵
      Enumerates processes with tasklist
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1920
- - C:\Windows\system32\cmd.exe
    /c "netstat -ano"
    3⤵
    - System Network Connections Discovery
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:3028
- - C:\Windows\system32\cmd.exe
    /c "ipconfig /all"
    3⤵
    PID:1992
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:1976
- - C:\Windows\system32\cmd.exe
    /c "route print"
    3⤵
    PID:1952
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:2896
- - C:\Windows\system32\cmd.exe
    /c "arp -a"
    3⤵
    - Network Service Discovery
    PID:2416
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:3020
- - C:\Windows\system32\cmd.exe
    /c "tasklist /m msfte.dll"
    3⤵
    PID:1852
  - - C:\Windows\system32\tasklist.exe
      tasklist /m msfte.dll
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1348
- - C:\Windows\system32\cmd.exe
    /c "net share"
    3⤵
    PID:496
  - - C:\Windows\system32\net.exe
      net share
      4⤵
      PID:1756
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 share
        5⤵
        
        PID:928
- - C:\Windows\system32\cmd.exe
    /c "ping server"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1568
  - - C:\Windows\system32\PING.EXE
      ping server
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2248
- - C:\Windows\system32\cmd.exe
    /c "sc query hfile.sys"
    3⤵
    PID:2040
  - - C:\Windows\system32\sc.exe
      sc query hfile.sys
      4⤵
      Launches sc.exe
      PID:2756
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1804
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 540 556 564 65536 560
  2⤵
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
05a5cc4f1e1e617e5b968d684a91fcc3

SHA1
2194d2e97be7b90764327d222abc5dbafe2a1fc4

SHA256
e9fcc50ea1217cdaff7bf29ad0fcdb27f596ef5a82f2f74214e8dd41c3e8605c

SHA512
1cb191b53d396880786cf7fd899859563d5769cc923764bdc60e80f93019a641206f8c0b9fb417dadfaafef02c5e2265f7c058b6154950ee7f21bd32d6d94513

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log

Filesize
1024KB

MD5
d2ce730d247ed8ea08a30826ec1e9a13

SHA1
d05bdbaad1a91c1076297b8c4afcde35a27d2e46

SHA256
8bacdbba1d884a1af85303f726a8419f7553f547ff02d950b07bdc416ebfa6b2

SHA512
87a4b9bb6f1d4683e5ffcc21a4c055e0b61e4a7516e397a53529b8b716fecad7c1ab065eb11f0a4f4187a10ffabbea4b47ab1d614fd4ee1755ced2322bf2567e

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.000

Filesize
240B

MD5
7ca2da6f1e7bca562d7d9376700a912f

SHA1
67feaa004013eee76282e3b3fc196279f2577dcb

SHA256
04fd7654331261ff9ec331c31b238ba7770f082abfb817d7881813ec02084a4e

SHA512
4f2f67dee86af03dae15145649f5eb65cd158686381d26005b91aab89f017b692289050f0b1def00f8c2e724aedba4025db0baa6b55f76d402ded8006c48b38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\itadrztdbr.exe

Filesize
209KB

MD5
8d98511924d571c2b0e11d765b857a8a

SHA1
b9ce4bacd3e7e644626fae63f746d4466dba737e

SHA256
666902c802f71eafbbb130664af70cea1d0cae2798b5be979b29ae9fc43feb7e

SHA512
925d53bb92ae82b83456d5728e58f608576ba633ce08ef440b4bd4fb04f4db5cf6a171548ff37feca3dc3f89838b9852d4ed74e05f4e07179751f3630ca9ad04

Download Submit
C:\Users\Admin\AppData\Local\Temp\onhzpfpufi.exe

Filesize
51KB

MD5
e48b89715bf5e4c55eb5a1fed67865d9

SHA1
89a287da39e14b02cdc284eb287549462346d724

SHA256
c25d90168fc2026d8ed2a69c066bd5a7e11004c3899928a7db24cb7636fc4d9e

SHA512
4bd77d2fa5da646009ebeeedb5610048c58598ee7e5aeb5660b0c01042f0f34a88f89181e13e86c06cae9984155d0299128a2aee1c2c16f18e284db4745d850c

Download Submit
C:\Users\Admin\AppData\Local\Temp\reKFAfqI.bat

Filesize
196B

MD5
87c5f4ab7c4d71ccf39e61bded603e00

SHA1
f2d713324bbe9624b6dad94b04a9590703cbe3e7

SHA256
710fb596341bdcd6abe31da06fa8b522bc22deec88bc5a7eebdf294e61ce776f

SHA512
3ce92c9e0763fc58e0f9ebe196552313f9005eb6e6ace6d20a3be98b6c10b794022f5c0637c57813854245e0f1eab21c4e2d57b59866a1a7703dca9af3486007

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UserSetting\MediaCache\ramdisk.sdb

Filesize
898B

MD5
3d513dc9accb10061f522f5ca01c4ffc

SHA1
7cb16063b8810c537c8cb624b96e1325fd7d6fd1

SHA256
f56286c7b532bb297e428f6fb14e81cc9540fb371e82ef25b5c70be1b7ab9f26

SHA512
35df5156e463c581890af4684fd78b2cd797efbd8e2af419d3b09e1f57d040354cebca72906d4c04956f5d71802ddb2e0e875e66c06a98b9f599da0885a1473f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UserSetting\MediaCache\ramdisk.sdb

Filesize
2KB

MD5
c8c7271491010e482c35edfe6aa51ceb

SHA1
19fa3de05e7a57ad2661ab08018d2b94d7f11885

SHA256
6cba644575df3ae44f5faa48453a1bacbf8bcc7fe7ca7f6d3c790fa036c0c0b2

SHA512
cea267dda7cba46e9e761fe0b72073192050f11e375cb49ef89a57a32f8a371803e422c19379f3820a61921067bbeb690ddc72c55b7dacd2dee7d16906384d6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UserSetting\MediaCache\ramdisk.sdb

Filesize
3KB

MD5
5f27c70370d8ee1f4ad089a86937371b

SHA1
983c621b847d161c78c2416cb350f88fbba39d90

SHA256
342e8f412168b24ee4033b70a6e7dbff7329b702f6583383a21fec8a79470399

SHA512
f57273e550c7ff942e459a9c9f1b7bf516b1e41996f6881cdc7c6b42ed0bbcbc9a082e644ee6a1b80b3f038782aec7241da8c03bd38e63fd4b2ac999dde6db04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UserSetting\MediaCache\ramdisk.sdb

Filesize
4KB

MD5
1a5c5b7c6a036c07ba8f356d8fbebace

SHA1
c019e70e5dae698ecd7434ed54341328fb303414

SHA256
d83064fc77713a36b23c85a954e994e855f5e300f1e3e4a7035fd20adf71b500

SHA512
ca3c5608bf60c70959f3eaa54b9dffe2d9b810408d1dce3957878e0d5425366f6df18e3a2b08847f720f55b78ab65d18ba317be03484d7c5ad64c3e3059c5796

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UserSetting\trnmg.sdb

Filesize
1KB

MD5
5c8456ead17271e348896153e57c2e79

SHA1
7967e7e3516e6d7d9333c2faa611db438c958c78

SHA256
3c1c635f506048f71d25058f4d32775924f50dfb603f2c1eaf73f4301d3f7d4c

SHA512
4b9b47714f3a7c46c9a00263a32b4143194ba8ae96474bd55746ba1b04e9309a00757b52ace24236611967c781264a5bd8a60ce7c5e831b7361188f1c403a59e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\CheckpointRemove.docx

Filesize
18KB

MD5
27b1cab38a9c9b78bf6b8341236aa746

SHA1
47e809ffc27b72fd875df46071a5db7c8638762b

SHA256
1ca4826cada6840b01b252b7b05091b22c395cb51292fe42a5917962bfc72599

SHA512
8c41a3c474d848fd0ae994b7ca391e4c4c1089811a94bc3cae183599cbe3b50865dfb5d8a373b257f2a27292f2deb99a3416879388d91fda308a395adbb2280a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\CheckpointRemove.txt

Filesize
8KB

MD5
b6312167af3972f5de465537a88c11dd

SHA1
812d0503c1c752b6b095eb98a4d3750307f690f4

SHA256
9268bd171dae33fece4e305990513e142114b014cab84a4a6b8e87b353627c73

SHA512
7f7368652e2ca17fc25189592c0adcc154b132d404ad88036cda6d84e3d7a0a74767a7120b478449e90f3e1c0fd70bfc55702cfc16afcff681a81141af56251c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\ShowStep.docx

Filesize
15KB

MD5
22151aa4bd0eaf487e105fcc6a1e9088

SHA1
e71bf7e588ae0f9b4848d820989b3ab87329145c

SHA256
3bd61a21526c9d2bf12b50115f3901f3df7abd0bc112168a508ad730866f9154

SHA512
d9d897c6ac7afefe3294375ace5c5ae5d770808095c8e5b9e84aa35f0f21eac63d3874ff883556b10d727461384e6b214dde0046358041b3d3fea93e871e8ed9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\ShowStep.txt

Filesize
4KB

MD5
b3a6f92a4892e9cb930f0e89d19a92d1

SHA1
336e26a7dd4141e1c729e1fc6ac2b1ce4ffbdb85

SHA256
dce62aa68ba355a829b0e18396cba7e8bf728b6564eb4eef28be8dbd5121f4af

SHA512
79c23fba6e72f6a5c58b193404665f0fb92eba092dfa199d3b0a7e8e13adb2b5d3a345058a62be8e2ad82632130e7cb8909b8d11478a4237645c23004678d693

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\winword.vbs

Filesize
1KB

MD5
3439318cedcf37c1bf5fe6d49ddbb2cb

SHA1
e075965bb3b38abdd80668fb6101a0d10b30f080

SHA256
6484a02c2db6c9afb5659ede4047cad10b7102c2bbc4c94bf8482f88d8fd83a8

SHA512
3dffcf24b052a7fffd50ab6c76d081b1c47ba64c20f21650e4bdcf19106518e8b342691711230ba9eea5489994b8ccec8ad11f54b1509b1cd518616254176b61

Download Submit
C:\Windows\system32\msfte.dll

Filesize
217KB

MD5
d7ddfd90c55ad42200b2a7e51110ad87

SHA1
0c9429f0b51a73423de4cb0ecf10fd3b3bacd84d

SHA256
4fdc7aacb3981434e797106944f27a507201d11cdf194b3fab79747ce98f2446

SHA512
8ba6cd56ce6aeae9481154e93b75d8712e854a19c60f6279abf721c2550a09d9f22cb410a5cc3062d59f17cde35e728d250129abe60f29321a16df7d2fb9c179

Download Submit
\Users\Admin\AppData\Local\Temp\shzcwyrpdw.exe

Filesize
580KB

MD5
2c2029588ad8b86759c17b7ae885ee03

SHA1
91653b5344d4c210201218e2f215dd5228d76799

SHA256
3ab288c47914e33cc61985e46502158400faa9d7187b55c19039b8795504a290

SHA512
88531fe6b0f2d66ada368a431f912868f74f9ed8ade9dc88887807b761490fe2cc317e1b6b40e7070411924c80971f237dca68ad2faafa7b4b1ecd2ec90c860f

Download Submit
\Windows\System32\SearchUserHost.exe

Filesize
244KB

MD5
42ec9065d9bf266ade924b066c783a56

SHA1
a8dcf7d63a8bb5abef8787775957a5bb6c0f3f77

SHA256
4ac002e90a52cb0998da78f2995294ee77b89fb2be709b0e3c8e1627212bccdc

SHA512
e49af43aef3f02397098821b81e034ee1f07f8c2f49a9a1768d1522bbc009103a2c88f436f488333f57c7d56b34acbee84588040f56382cc75eaddbb9db19980

Download Submit
\Windows\System32\bindsvc.exe

Filesize
291KB

MD5
7c5b397fb54d5aa06bd2a6fb99c62fee

SHA1
a9e0bf7bbabf6ab9e294156985537ae972ebd743

SHA256
d032bdc64c9451bbb653b346c5bd6ac9f83a91edeb0155497f098c8d6182ddee

SHA512
daa4702eff625b5dd1edca358c653338cff4eeca4e43d12dfd39bbc52acf8dfde3b963d190cf4426e405d9db8bcc9817cd50868055aa0d4a9efe4d1042beaf0c

Download Submit
memory/1188-38-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1940-19-0x0000000003130000-0x00000000032AA000-memory.dmp

Filesize
1.5MB

Download
memory/2108-296-0x0000000001350000-0x00000000014CA000-memory.dmp

Filesize
1.5MB

Download
memory/2108-21-0x0000000001350000-0x00000000014CA000-memory.dmp

Filesize
1.5MB

Download
memory/2648-399-0x00000000058E0000-0x00000000058E8000-memory.dmp

Filesize
32KB

Download
memory/2648-407-0x00000000058D0000-0x00000000058D8000-memory.dmp

Filesize
32KB

Download
memory/2648-97-0x0000000002F80000-0x0000000002F81000-memory.dmp

Filesize
4KB

Download
memory/2648-95-0x0000000002FD0000-0x0000000002FD8000-memory.dmp

Filesize
32KB

Download
memory/2648-89-0x0000000002FD0000-0x0000000002FD1000-memory.dmp

Filesize
4KB

Download
memory/2648-372-0x0000000005760000-0x0000000005768000-memory.dmp

Filesize
32KB

Download
memory/2648-42-0x0000000001B80000-0x0000000001B90000-memory.dmp

Filesize
64KB

Download
memory/2648-106-0x0000000003020000-0x0000000003028000-memory.dmp

Filesize
32KB

Download
memory/2648-400-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/2648-277-0x0000000003440000-0x0000000003448000-memory.dmp

Filesize
32KB

Download
memory/2648-473-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/2648-472-0x00000000053C0000-0x00000000053C8000-memory.dmp

Filesize
32KB

Download
memory/2648-58-0x0000000001C80000-0x0000000001C90000-memory.dmp

Filesize
64KB

Download
memory/2648-496-0x0000000004770000-0x0000000004778000-memory.dmp

Filesize
32KB

Download
memory/2648-88-0x0000000003010000-0x0000000003018000-memory.dmp

Filesize
32KB

Download
memory/2648-648-0x0000000003DA0000-0x0000000003DA1000-memory.dmp

Filesize
4KB

Download