785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920

Analysis

max time kernel
151s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
Size

89KB
MD5

59570179859c1eb4286b100aaf25cd74
SHA1

5a87f58be1d93e2c440d80e2a3415b0f143a9d33
SHA256

785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920
SHA512

f3dae0c5b9cfbef900908c69613e5c5e9b772ef0f3cfdbcd6ed6ea8dceab94635d7bcd09d6ec028f61531ba268a419dded5010a53740be4b62a0aade93c1c88f
SSDEEP

1536:7keK40T/mx7y9v7Z/Z2V/GSAFRfBh7VoKI:AD40Dmx7y9DZ/Z2hGVaKI

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	CTFMON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	CTFMON.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	CTFMON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SPOOLSV.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	CTFMON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe

Executes dropped EXE 12 IoCs

pid	Process
644	SVCHOST.EXE
1884	SVCHOST.EXE
764	SPOOLSV.EXE
820	SVCHOST.EXE
696	SPOOLSV.EXE
364	CTFMON.EXE
1192	SVCHOST.EXE
1468	SPOOLSV.EXE
1996	CTFMON.EXE
1964	CTFMON.EXE
616	SPOOLSV.EXE
1564	CTFMON.EXE

Loads dropped DLL 15 IoCs

pid	Process
2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
644	SVCHOST.EXE
644	SVCHOST.EXE
764	SPOOLSV.EXE
764	SPOOLSV.EXE
764	SPOOLSV.EXE
764	SPOOLSV.EXE
364	CTFMON.EXE
364	CTFMON.EXE
364	CTFMON.EXE
644	SVCHOST.EXE
2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Recycled\desktop.ini	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
File opened (read-only)	\??\N:	SPOOLSV.EXE
File opened (read-only)	\??\O:	SPOOLSV.EXE
File opened (read-only)	\??\R:	CTFMON.EXE
File opened (read-only)	\??\X:	CTFMON.EXE
File opened (read-only)	\??\I:	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
File opened (read-only)	\??\H:	SVCHOST.EXE
File opened (read-only)	\??\E:	SPOOLSV.EXE
File opened (read-only)	\??\R:	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
File opened (read-only)	\??\S:	SVCHOST.EXE
File opened (read-only)	\??\J:	SPOOLSV.EXE
File opened (read-only)	\??\T:	CTFMON.EXE
File opened (read-only)	\??\Y:	CTFMON.EXE
File opened (read-only)	\??\E:	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
File opened (read-only)	\??\F:	SVCHOST.EXE
File opened (read-only)	\??\L:	SVCHOST.EXE
File opened (read-only)	\??\V:	SVCHOST.EXE
File opened (read-only)	\??\X:	SVCHOST.EXE
File opened (read-only)	\??\Y:	SPOOLSV.EXE
File opened (read-only)	\??\G:	CTFMON.EXE
File opened (read-only)	\??\H:	CTFMON.EXE
File opened (read-only)	\??\U:	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
File opened (read-only)	\??\I:	CTFMON.EXE
File opened (read-only)	\??\O:	CTFMON.EXE
File opened (read-only)	\??\V:	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
File opened (read-only)	\??\Z:	SVCHOST.EXE
File opened (read-only)	\??\W:	CTFMON.EXE
File opened (read-only)	\??\Z:	CTFMON.EXE
File opened (read-only)	\??\J:	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
File opened (read-only)	\??\M:	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
File opened (read-only)	\??\Q:	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
File opened (read-only)	\??\Y:	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
File opened (read-only)	\??\W:	SVCHOST.EXE
File opened (read-only)	\??\K:	SPOOLSV.EXE
File opened (read-only)	\??\R:	SPOOLSV.EXE
File opened (read-only)	\??\W:	SPOOLSV.EXE
File opened (read-only)	\??\L:	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
File opened (read-only)	\??\F:	CTFMON.EXE
File opened (read-only)	\??\I:	SVCHOST.EXE
File opened (read-only)	\??\S:	SPOOLSV.EXE
File opened (read-only)	\??\J:	CTFMON.EXE
File opened (read-only)	\??\F:	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\N:	SVCHOST.EXE
File opened (read-only)	\??\H:	SPOOLSV.EXE
File opened (read-only)	\??\Q:	SPOOLSV.EXE
File opened (read-only)	\??\U:	SPOOLSV.EXE
File opened (read-only)	\??\P:	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
File opened (read-only)	\??\T:	SVCHOST.EXE
File opened (read-only)	\??\P:	SPOOLSV.EXE
File opened (read-only)	\??\E:	CTFMON.EXE
File opened (read-only)	\??\T:	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\Q:	SVCHOST.EXE
File opened (read-only)	\??\L:	SPOOLSV.EXE
File opened (read-only)	\??\M:	SPOOLSV.EXE
File opened (read-only)	\??\L:	CTFMON.EXE
File opened (read-only)	\??\M:	CTFMON.EXE
File opened (read-only)	\??\S:	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
File opened (read-only)	\??\S:	CTFMON.EXE
File opened (read-only)	\??\U:	CTFMON.EXE
File opened (read-only)	\??\V:	CTFMON.EXE
File opened (read-only)	\??\F:	SPOOLSV.EXE
File opened (read-only)	\??\O:	SVCHOST.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	CTFMON.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG\COMMAND	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	CTFMON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2028	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
364	CTFMON.EXE
364	CTFMON.EXE
364	CTFMON.EXE
364	CTFMON.EXE
364	CTFMON.EXE
364	CTFMON.EXE
364	CTFMON.EXE
364	CTFMON.EXE
764	SPOOLSV.EXE
764	SPOOLSV.EXE
764	SPOOLSV.EXE
764	SPOOLSV.EXE
764	SPOOLSV.EXE
764	SPOOLSV.EXE
764	SPOOLSV.EXE
764	SPOOLSV.EXE
764	SPOOLSV.EXE
764	SPOOLSV.EXE
764	SPOOLSV.EXE
764	SPOOLSV.EXE
764	SPOOLSV.EXE
764	SPOOLSV.EXE
764	SPOOLSV.EXE
764	SPOOLSV.EXE
644	SVCHOST.EXE
644	SVCHOST.EXE
644	SVCHOST.EXE
644	SVCHOST.EXE
644	SVCHOST.EXE
644	SVCHOST.EXE
644	SVCHOST.EXE
644	SVCHOST.EXE
644	SVCHOST.EXE
644	SVCHOST.EXE
644	SVCHOST.EXE
644	SVCHOST.EXE
644	SVCHOST.EXE
644	SVCHOST.EXE
644	SVCHOST.EXE
644	SVCHOST.EXE
364	CTFMON.EXE
364	CTFMON.EXE
364	CTFMON.EXE
364	CTFMON.EXE
364	CTFMON.EXE
364	CTFMON.EXE
364	CTFMON.EXE
364	CTFMON.EXE
2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
764	SPOOLSV.EXE
2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
764	SPOOLSV.EXE
2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
764	SPOOLSV.EXE
2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
764	SPOOLSV.EXE
2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
644	SVCHOST.EXE
1884	SVCHOST.EXE
764	SPOOLSV.EXE
820	SVCHOST.EXE
696	SPOOLSV.EXE
364	CTFMON.EXE
1192	SVCHOST.EXE
1468	SPOOLSV.EXE
1996	CTFMON.EXE
1964	CTFMON.EXE
616	SPOOLSV.EXE
1564	CTFMON.EXE
2028	WINWORD.EXE
2028	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 644	2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe	27
PID 2024 wrote to memory of 644	2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe	27
PID 2024 wrote to memory of 644	2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe	27
PID 2024 wrote to memory of 644	2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe	27
PID 644 wrote to memory of 1884	644	SVCHOST.EXE	28
PID 644 wrote to memory of 1884	644	SVCHOST.EXE	28
PID 644 wrote to memory of 1884	644	SVCHOST.EXE	28
PID 644 wrote to memory of 1884	644	SVCHOST.EXE	28
PID 644 wrote to memory of 764	644	SVCHOST.EXE	29
PID 644 wrote to memory of 764	644	SVCHOST.EXE	29
PID 644 wrote to memory of 764	644	SVCHOST.EXE	29
PID 644 wrote to memory of 764	644	SVCHOST.EXE	29
PID 764 wrote to memory of 820	764	SPOOLSV.EXE	30
PID 764 wrote to memory of 820	764	SPOOLSV.EXE	30
PID 764 wrote to memory of 820	764	SPOOLSV.EXE	30
PID 764 wrote to memory of 820	764	SPOOLSV.EXE	30
PID 764 wrote to memory of 696	764	SPOOLSV.EXE	31
PID 764 wrote to memory of 696	764	SPOOLSV.EXE	31
PID 764 wrote to memory of 696	764	SPOOLSV.EXE	31
PID 764 wrote to memory of 696	764	SPOOLSV.EXE	31
PID 764 wrote to memory of 364	764	SPOOLSV.EXE	32
PID 764 wrote to memory of 364	764	SPOOLSV.EXE	32
PID 764 wrote to memory of 364	764	SPOOLSV.EXE	32
PID 764 wrote to memory of 364	764	SPOOLSV.EXE	32
PID 364 wrote to memory of 1192	364	CTFMON.EXE	33
PID 364 wrote to memory of 1192	364	CTFMON.EXE	33
PID 364 wrote to memory of 1192	364	CTFMON.EXE	33
PID 364 wrote to memory of 1192	364	CTFMON.EXE	33
PID 364 wrote to memory of 1468	364	CTFMON.EXE	34
PID 364 wrote to memory of 1468	364	CTFMON.EXE	34
PID 364 wrote to memory of 1468	364	CTFMON.EXE	34
PID 364 wrote to memory of 1468	364	CTFMON.EXE	34
PID 364 wrote to memory of 1996	364	CTFMON.EXE	35
PID 364 wrote to memory of 1996	364	CTFMON.EXE	35
PID 364 wrote to memory of 1996	364	CTFMON.EXE	35
PID 364 wrote to memory of 1996	364	CTFMON.EXE	35
PID 644 wrote to memory of 1964	644	SVCHOST.EXE	36
PID 644 wrote to memory of 1964	644	SVCHOST.EXE	36
PID 644 wrote to memory of 1964	644	SVCHOST.EXE	36
PID 644 wrote to memory of 1964	644	SVCHOST.EXE	36
PID 2024 wrote to memory of 616	2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe	37
PID 2024 wrote to memory of 616	2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe	37
PID 2024 wrote to memory of 616	2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe	37
PID 2024 wrote to memory of 616	2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe	37
PID 2024 wrote to memory of 1564	2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe	39
PID 2024 wrote to memory of 1564	2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe	39
PID 2024 wrote to memory of 1564	2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe	39
PID 2024 wrote to memory of 1564	2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe	39
PID 644 wrote to memory of 744	644	SVCHOST.EXE	38
PID 644 wrote to memory of 744	644	SVCHOST.EXE	38
PID 644 wrote to memory of 744	644	SVCHOST.EXE	38
PID 644 wrote to memory of 744	644	SVCHOST.EXE	38
PID 744 wrote to memory of 1048	744	userinit.exe	40
PID 744 wrote to memory of 1048	744	userinit.exe	40
PID 744 wrote to memory of 1048	744	userinit.exe	40
PID 744 wrote to memory of 1048	744	userinit.exe	40
PID 2024 wrote to memory of 2028	2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe	42
PID 2024 wrote to memory of 2028	2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe	42
PID 2024 wrote to memory of 2028	2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe	42
PID 2024 wrote to memory of 2028	2024	785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe	42
PID 2028 wrote to memory of 1956	2028	WINWORD.EXE	45
PID 2028 wrote to memory of 1956	2028	WINWORD.EXE	45
PID 2028 wrote to memory of 1956	2028	WINWORD.EXE	45
PID 2028 wrote to memory of 1956	2028	WINWORD.EXE	45

C:\Users\Admin\AppData\Local\Temp\785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
"C:\Users\Admin\AppData\Local\Temp\785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024
- C:\recycled\SVCHOST.EXE
  C:\recycled\SVCHOST.EXE :agent
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:644
- - C:\recycled\SVCHOST.EXE
    C:\recycled\SVCHOST.EXE :agent
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1884
- - C:\recycled\SPOOLSV.EXE
    C:\recycled\SPOOLSV.EXE :agent
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:764
  - - C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:820
  - - C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:696
  - - C:\recycled\CTFMON.EXE
      C:\recycled\CTFMON.EXE :agent
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:364
    - - C:\recycled\SVCHOST.EXE
        
        C:\recycled\SVCHOST.EXE :agent
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1192
    - - C:\recycled\SPOOLSV.EXE
        
        C:\recycled\SPOOLSV.EXE :agent
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1468
    - - C:\recycled\CTFMON.EXE
        
        C:\recycled\CTFMON.EXE :agent
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1996
- - C:\recycled\CTFMON.EXE
    C:\recycled\CTFMON.EXE :agent
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1964
- - C:\Windows\SysWOW64\userinit.exe
    C:\Windows\system32\userinit.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:744
  - - C:\Windows\SysWOW64\Explorer.exe
      Explorer.exe "C:\recycled\SVCHOST.exe"
      4⤵
      PID:1048
- C:\recycled\SPOOLSV.EXE
  C:\recycled\SPOOLSV.EXE :agent
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:616
- C:\recycled\CTFMON.EXE
  C:\recycled\CTFMON.EXE :agent
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1564
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.doc"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1956

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recycled\CTFMON.EXE

Filesize
89KB

MD5
07290ab0ec114e005860a7d198010672

SHA1
d903c3f72a6c50d222ae992c3c0eff10fa939536

SHA256
99d13cd72c9b1ffd3a7f084934efc4c34989fe824d785cca310b68e8c5009c23

SHA512
880568bf0a502f7c1ededb3580ec06a2d57ab7e1295ad2d908bc66020d786cb670698ca4821105a64f61656f10a052c66a034191a55fccc29c7f3da30952a72b

Download Submit
C:\Recycled\CTFMON.EXE

Filesize
89KB

MD5
07290ab0ec114e005860a7d198010672

SHA1
d903c3f72a6c50d222ae992c3c0eff10fa939536

SHA256
99d13cd72c9b1ffd3a7f084934efc4c34989fe824d785cca310b68e8c5009c23

SHA512
880568bf0a502f7c1ededb3580ec06a2d57ab7e1295ad2d908bc66020d786cb670698ca4821105a64f61656f10a052c66a034191a55fccc29c7f3da30952a72b

Download Submit
C:\Recycled\CTFMON.EXE

Filesize
89KB

MD5
07290ab0ec114e005860a7d198010672

SHA1
d903c3f72a6c50d222ae992c3c0eff10fa939536

SHA256
99d13cd72c9b1ffd3a7f084934efc4c34989fe824d785cca310b68e8c5009c23

SHA512
880568bf0a502f7c1ededb3580ec06a2d57ab7e1295ad2d908bc66020d786cb670698ca4821105a64f61656f10a052c66a034191a55fccc29c7f3da30952a72b

Download Submit
C:\Recycled\CTFMON.EXE

Filesize
89KB

MD5
07290ab0ec114e005860a7d198010672

SHA1
d903c3f72a6c50d222ae992c3c0eff10fa939536

SHA256
99d13cd72c9b1ffd3a7f084934efc4c34989fe824d785cca310b68e8c5009c23

SHA512
880568bf0a502f7c1ededb3580ec06a2d57ab7e1295ad2d908bc66020d786cb670698ca4821105a64f61656f10a052c66a034191a55fccc29c7f3da30952a72b

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
89KB

MD5
52ca7fd68c71f4efbd00435970caacbd

SHA1
9986ec73570220d899bc9cfcf0a0bf2cdf2abacb

SHA256
cf65cc3ed7c8c937c940a4a0e470b86b2a62ea1d9fd2b6510acb283c4d3ee73c

SHA512
4e19527a8e5e3fe9f5b96634e8f5b717e7aafed6495692b96318e121d33c82a5b7a07f8b56b8ce81372a8712bc23b8cdaa64d12973c4129dc451bc898a7ff95a

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
89KB

MD5
52ca7fd68c71f4efbd00435970caacbd

SHA1
9986ec73570220d899bc9cfcf0a0bf2cdf2abacb

SHA256
cf65cc3ed7c8c937c940a4a0e470b86b2a62ea1d9fd2b6510acb283c4d3ee73c

SHA512
4e19527a8e5e3fe9f5b96634e8f5b717e7aafed6495692b96318e121d33c82a5b7a07f8b56b8ce81372a8712bc23b8cdaa64d12973c4129dc451bc898a7ff95a

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
89KB

MD5
52ca7fd68c71f4efbd00435970caacbd

SHA1
9986ec73570220d899bc9cfcf0a0bf2cdf2abacb

SHA256
cf65cc3ed7c8c937c940a4a0e470b86b2a62ea1d9fd2b6510acb283c4d3ee73c

SHA512
4e19527a8e5e3fe9f5b96634e8f5b717e7aafed6495692b96318e121d33c82a5b7a07f8b56b8ce81372a8712bc23b8cdaa64d12973c4129dc451bc898a7ff95a

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
89KB

MD5
52ca7fd68c71f4efbd00435970caacbd

SHA1
9986ec73570220d899bc9cfcf0a0bf2cdf2abacb

SHA256
cf65cc3ed7c8c937c940a4a0e470b86b2a62ea1d9fd2b6510acb283c4d3ee73c

SHA512
4e19527a8e5e3fe9f5b96634e8f5b717e7aafed6495692b96318e121d33c82a5b7a07f8b56b8ce81372a8712bc23b8cdaa64d12973c4129dc451bc898a7ff95a

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
89KB

MD5
a14d862a6129d63332bdab04e6df7674

SHA1
8fab32e69db55223e021efb585995c59de9c75ca

SHA256
8c4021491ba56f20fc0ff032bd7fcb1bb3dbbdb7fdc7ca4a5eac80b630812754

SHA512
4773ae1b970db15afb604dd17c09943d8236584bb0fca67d66d53a3e79732a3aa5ec31ac989753129c0e93021518005fd7af54902f49da8b575bb075719d8713

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
89KB

MD5
a14d862a6129d63332bdab04e6df7674

SHA1
8fab32e69db55223e021efb585995c59de9c75ca

SHA256
8c4021491ba56f20fc0ff032bd7fcb1bb3dbbdb7fdc7ca4a5eac80b630812754

SHA512
4773ae1b970db15afb604dd17c09943d8236584bb0fca67d66d53a3e79732a3aa5ec31ac989753129c0e93021518005fd7af54902f49da8b575bb075719d8713

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
89KB

MD5
a14d862a6129d63332bdab04e6df7674

SHA1
8fab32e69db55223e021efb585995c59de9c75ca

SHA256
8c4021491ba56f20fc0ff032bd7fcb1bb3dbbdb7fdc7ca4a5eac80b630812754

SHA512
4773ae1b970db15afb604dd17c09943d8236584bb0fca67d66d53a3e79732a3aa5ec31ac989753129c0e93021518005fd7af54902f49da8b575bb075719d8713

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
89KB

MD5
a14d862a6129d63332bdab04e6df7674

SHA1
8fab32e69db55223e021efb585995c59de9c75ca

SHA256
8c4021491ba56f20fc0ff032bd7fcb1bb3dbbdb7fdc7ca4a5eac80b630812754

SHA512
4773ae1b970db15afb604dd17c09943d8236584bb0fca67d66d53a3e79732a3aa5ec31ac989753129c0e93021518005fd7af54902f49da8b575bb075719d8713

Download Submit
C:\Recycled\desktop.ini

Filesize
65B

MD5
ad0b0b4416f06af436328a3c12dc491b

SHA1
743c7ad130780de78ccbf75aa6f84298720ad3fa

SHA256
23521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416

SHA512
884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
1KB

MD5
0269b6347e473980c5378044ac67aa1f

SHA1
c3334de50e320ad8bce8398acff95c363d039245

SHA256
68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

SHA512
e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
1KB

MD5
0269b6347e473980c5378044ac67aa1f

SHA1
c3334de50e320ad8bce8398acff95c363d039245

SHA256
68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

SHA512
e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
1KB

MD5
0269b6347e473980c5378044ac67aa1f

SHA1
c3334de50e320ad8bce8398acff95c363d039245

SHA256
68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

SHA512
e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

Download Submit
C:\recycled\CTFMON.EXE

Filesize
89KB

MD5
07290ab0ec114e005860a7d198010672

SHA1
d903c3f72a6c50d222ae992c3c0eff10fa939536

SHA256
99d13cd72c9b1ffd3a7f084934efc4c34989fe824d785cca310b68e8c5009c23

SHA512
880568bf0a502f7c1ededb3580ec06a2d57ab7e1295ad2d908bc66020d786cb670698ca4821105a64f61656f10a052c66a034191a55fccc29c7f3da30952a72b

Download Submit
C:\recycled\SPOOLSV.EXE

Filesize
89KB

MD5
52ca7fd68c71f4efbd00435970caacbd

SHA1
9986ec73570220d899bc9cfcf0a0bf2cdf2abacb

SHA256
cf65cc3ed7c8c937c940a4a0e470b86b2a62ea1d9fd2b6510acb283c4d3ee73c

SHA512
4e19527a8e5e3fe9f5b96634e8f5b717e7aafed6495692b96318e121d33c82a5b7a07f8b56b8ce81372a8712bc23b8cdaa64d12973c4129dc451bc898a7ff95a

Download Submit
C:\recycled\SVCHOST.exe

Filesize
89KB

MD5
a14d862a6129d63332bdab04e6df7674

SHA1
8fab32e69db55223e021efb585995c59de9c75ca

SHA256
8c4021491ba56f20fc0ff032bd7fcb1bb3dbbdb7fdc7ca4a5eac80b630812754

SHA512
4773ae1b970db15afb604dd17c09943d8236584bb0fca67d66d53a3e79732a3aa5ec31ac989753129c0e93021518005fd7af54902f49da8b575bb075719d8713

Download Submit
\Recycled\CTFMON.EXE

Filesize
89KB

MD5
07290ab0ec114e005860a7d198010672

SHA1
d903c3f72a6c50d222ae992c3c0eff10fa939536

SHA256
99d13cd72c9b1ffd3a7f084934efc4c34989fe824d785cca310b68e8c5009c23

SHA512
880568bf0a502f7c1ededb3580ec06a2d57ab7e1295ad2d908bc66020d786cb670698ca4821105a64f61656f10a052c66a034191a55fccc29c7f3da30952a72b

Download Submit
\Recycled\CTFMON.EXE

Filesize
89KB

MD5
07290ab0ec114e005860a7d198010672

SHA1
d903c3f72a6c50d222ae992c3c0eff10fa939536

SHA256
99d13cd72c9b1ffd3a7f084934efc4c34989fe824d785cca310b68e8c5009c23

SHA512
880568bf0a502f7c1ededb3580ec06a2d57ab7e1295ad2d908bc66020d786cb670698ca4821105a64f61656f10a052c66a034191a55fccc29c7f3da30952a72b

Download Submit
\Recycled\CTFMON.EXE

Filesize
89KB

MD5
07290ab0ec114e005860a7d198010672

SHA1
d903c3f72a6c50d222ae992c3c0eff10fa939536

SHA256
99d13cd72c9b1ffd3a7f084934efc4c34989fe824d785cca310b68e8c5009c23

SHA512
880568bf0a502f7c1ededb3580ec06a2d57ab7e1295ad2d908bc66020d786cb670698ca4821105a64f61656f10a052c66a034191a55fccc29c7f3da30952a72b

Download Submit
\Recycled\CTFMON.EXE

Filesize
89KB

MD5
07290ab0ec114e005860a7d198010672

SHA1
d903c3f72a6c50d222ae992c3c0eff10fa939536

SHA256
99d13cd72c9b1ffd3a7f084934efc4c34989fe824d785cca310b68e8c5009c23

SHA512
880568bf0a502f7c1ededb3580ec06a2d57ab7e1295ad2d908bc66020d786cb670698ca4821105a64f61656f10a052c66a034191a55fccc29c7f3da30952a72b

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
89KB

MD5
52ca7fd68c71f4efbd00435970caacbd

SHA1
9986ec73570220d899bc9cfcf0a0bf2cdf2abacb

SHA256
cf65cc3ed7c8c937c940a4a0e470b86b2a62ea1d9fd2b6510acb283c4d3ee73c

SHA512
4e19527a8e5e3fe9f5b96634e8f5b717e7aafed6495692b96318e121d33c82a5b7a07f8b56b8ce81372a8712bc23b8cdaa64d12973c4129dc451bc898a7ff95a

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
89KB

MD5
52ca7fd68c71f4efbd00435970caacbd

SHA1
9986ec73570220d899bc9cfcf0a0bf2cdf2abacb

SHA256
cf65cc3ed7c8c937c940a4a0e470b86b2a62ea1d9fd2b6510acb283c4d3ee73c

SHA512
4e19527a8e5e3fe9f5b96634e8f5b717e7aafed6495692b96318e121d33c82a5b7a07f8b56b8ce81372a8712bc23b8cdaa64d12973c4129dc451bc898a7ff95a

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
89KB

MD5
52ca7fd68c71f4efbd00435970caacbd

SHA1
9986ec73570220d899bc9cfcf0a0bf2cdf2abacb

SHA256
cf65cc3ed7c8c937c940a4a0e470b86b2a62ea1d9fd2b6510acb283c4d3ee73c

SHA512
4e19527a8e5e3fe9f5b96634e8f5b717e7aafed6495692b96318e121d33c82a5b7a07f8b56b8ce81372a8712bc23b8cdaa64d12973c4129dc451bc898a7ff95a

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
89KB

MD5
52ca7fd68c71f4efbd00435970caacbd

SHA1
9986ec73570220d899bc9cfcf0a0bf2cdf2abacb

SHA256
cf65cc3ed7c8c937c940a4a0e470b86b2a62ea1d9fd2b6510acb283c4d3ee73c

SHA512
4e19527a8e5e3fe9f5b96634e8f5b717e7aafed6495692b96318e121d33c82a5b7a07f8b56b8ce81372a8712bc23b8cdaa64d12973c4129dc451bc898a7ff95a

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
89KB

MD5
52ca7fd68c71f4efbd00435970caacbd

SHA1
9986ec73570220d899bc9cfcf0a0bf2cdf2abacb

SHA256
cf65cc3ed7c8c937c940a4a0e470b86b2a62ea1d9fd2b6510acb283c4d3ee73c

SHA512
4e19527a8e5e3fe9f5b96634e8f5b717e7aafed6495692b96318e121d33c82a5b7a07f8b56b8ce81372a8712bc23b8cdaa64d12973c4129dc451bc898a7ff95a

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
89KB

MD5
52ca7fd68c71f4efbd00435970caacbd

SHA1
9986ec73570220d899bc9cfcf0a0bf2cdf2abacb

SHA256
cf65cc3ed7c8c937c940a4a0e470b86b2a62ea1d9fd2b6510acb283c4d3ee73c

SHA512
4e19527a8e5e3fe9f5b96634e8f5b717e7aafed6495692b96318e121d33c82a5b7a07f8b56b8ce81372a8712bc23b8cdaa64d12973c4129dc451bc898a7ff95a

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
89KB

MD5
52ca7fd68c71f4efbd00435970caacbd

SHA1
9986ec73570220d899bc9cfcf0a0bf2cdf2abacb

SHA256
cf65cc3ed7c8c937c940a4a0e470b86b2a62ea1d9fd2b6510acb283c4d3ee73c

SHA512
4e19527a8e5e3fe9f5b96634e8f5b717e7aafed6495692b96318e121d33c82a5b7a07f8b56b8ce81372a8712bc23b8cdaa64d12973c4129dc451bc898a7ff95a

Download Submit
\Recycled\SVCHOST.EXE

Filesize
89KB

MD5
a14d862a6129d63332bdab04e6df7674

SHA1
8fab32e69db55223e021efb585995c59de9c75ca

SHA256
8c4021491ba56f20fc0ff032bd7fcb1bb3dbbdb7fdc7ca4a5eac80b630812754

SHA512
4773ae1b970db15afb604dd17c09943d8236584bb0fca67d66d53a3e79732a3aa5ec31ac989753129c0e93021518005fd7af54902f49da8b575bb075719d8713

Download Submit
\Recycled\SVCHOST.EXE

Filesize
89KB

MD5
a14d862a6129d63332bdab04e6df7674

SHA1
8fab32e69db55223e021efb585995c59de9c75ca

SHA256
8c4021491ba56f20fc0ff032bd7fcb1bb3dbbdb7fdc7ca4a5eac80b630812754

SHA512
4773ae1b970db15afb604dd17c09943d8236584bb0fca67d66d53a3e79732a3aa5ec31ac989753129c0e93021518005fd7af54902f49da8b575bb075719d8713

Download Submit
\Recycled\SVCHOST.EXE

Filesize
89KB

MD5
a14d862a6129d63332bdab04e6df7674

SHA1
8fab32e69db55223e021efb585995c59de9c75ca

SHA256
8c4021491ba56f20fc0ff032bd7fcb1bb3dbbdb7fdc7ca4a5eac80b630812754

SHA512
4773ae1b970db15afb604dd17c09943d8236584bb0fca67d66d53a3e79732a3aa5ec31ac989753129c0e93021518005fd7af54902f49da8b575bb075719d8713

Download Submit
\Recycled\SVCHOST.EXE

Filesize
89KB

MD5
a14d862a6129d63332bdab04e6df7674

SHA1
8fab32e69db55223e021efb585995c59de9c75ca

SHA256
8c4021491ba56f20fc0ff032bd7fcb1bb3dbbdb7fdc7ca4a5eac80b630812754

SHA512
4773ae1b970db15afb604dd17c09943d8236584bb0fca67d66d53a3e79732a3aa5ec31ac989753129c0e93021518005fd7af54902f49da8b575bb075719d8713

Download Submit
memory/364-169-0x00000000003D0000-0x00000000003EA000-memory.dmp

Filesize
104KB

Download
memory/364-170-0x00000000003D0000-0x00000000003EA000-memory.dmp

Filesize
104KB

Download
memory/364-138-0x00000000003D0000-0x00000000003EA000-memory.dmp

Filesize
104KB

Download
memory/364-137-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/364-168-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/616-143-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/644-165-0x0000000001D50000-0x0000000001D6A000-memory.dmp

Filesize
104KB

Download
memory/644-130-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/644-164-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/644-139-0x0000000001D50000-0x0000000001D6A000-memory.dmp

Filesize
104KB

Download
memory/696-90-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/764-134-0x0000000000810000-0x000000000082A000-memory.dmp

Filesize
104KB

Download
memory/764-166-0x0000000000810000-0x000000000082A000-memory.dmp

Filesize
104KB

Download
memory/764-167-0x0000000001EB0000-0x0000000001ECA000-memory.dmp

Filesize
104KB

Download
memory/764-135-0x0000000001EB0000-0x0000000001ECA000-memory.dmp

Filesize
104KB

Download
memory/764-136-0x0000000001EB0000-0x0000000001ECA000-memory.dmp

Filesize
104KB

Download
memory/764-133-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/988-152-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download
memory/1048-150-0x00000000743C1000-0x00000000743C3000-memory.dmp

Filesize
8KB

Download
memory/1192-106-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1468-113-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1564-147-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1884-70-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1964-124-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1996-117-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2024-56-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/2024-155-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2024-153-0x0000000002660000-0x000000000267A000-memory.dmp

Filesize
104KB

Download
memory/2024-123-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2024-128-0x0000000002660000-0x000000000267A000-memory.dmp

Filesize
104KB

Download
memory/2028-157-0x00000000706D1000-0x00000000706D3000-memory.dmp

Filesize
8KB

Download
memory/2028-158-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2028-159-0x00000000716BD000-0x00000000716C8000-memory.dmp

Filesize
44KB

Download
memory/2028-156-0x0000000072C51000-0x0000000072C54000-memory.dmp

Filesize
12KB

Download
memory/2028-163-0x00000000716BD000-0x00000000716C8000-memory.dmp

Filesize
44KB

Download