5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	CTFMON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	CTFMON.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	CTFMON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SPOOLSV.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	CTFMON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SPOOLSV.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE

Executes dropped EXE 12 IoCs

pid	Process
1312	SVCHOST.EXE
4276	SVCHOST.EXE
4176	SPOOLSV.EXE
4576	SVCHOST.EXE
3536	SPOOLSV.EXE
2024	CTFMON.EXE
1156	SVCHOST.EXE
4288	SPOOLSV.EXE
208	CTFMON.EXE
2156	CTFMON.EXE
4536	SPOOLSV.EXE
3932	CTFMON.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Recycled\desktop.ini	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\X:	SPOOLSV.EXE
File opened (read-only)	\??\O:	CTFMON.EXE
File opened (read-only)	\??\W:	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
File opened (read-only)	\??\Y:	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
File opened (read-only)	\??\V:	SVCHOST.EXE
File opened (read-only)	\??\I:	SPOOLSV.EXE
File opened (read-only)	\??\Q:	SPOOLSV.EXE
File opened (read-only)	\??\V:	CTFMON.EXE
File opened (read-only)	\??\V:	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
File opened (read-only)	\??\O:	SVCHOST.EXE
File opened (read-only)	\??\H:	SPOOLSV.EXE
File opened (read-only)	\??\N:	SPOOLSV.EXE
File opened (read-only)	\??\Z:	SPOOLSV.EXE
File opened (read-only)	\??\K:	SPOOLSV.EXE
File opened (read-only)	\??\F:	CTFMON.EXE
File opened (read-only)	\??\K:	CTFMON.EXE
File opened (read-only)	\??\I:	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
File opened (read-only)	\??\L:	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
File opened (read-only)	\??\S:	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
File opened (read-only)	\??\S:	SVCHOST.EXE
File opened (read-only)	\??\X:	SVCHOST.EXE
File opened (read-only)	\??\X:	CTFMON.EXE
File opened (read-only)	\??\T:	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
File opened (read-only)	\??\X:	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
File opened (read-only)	\??\W:	SVCHOST.EXE
File opened (read-only)	\??\H:	CTFMON.EXE
File opened (read-only)	\??\Q:	CTFMON.EXE
File opened (read-only)	\??\R:	CTFMON.EXE
File opened (read-only)	\??\H:	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
File opened (read-only)	\??\R:	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
File opened (read-only)	\??\I:	SVCHOST.EXE
File opened (read-only)	\??\M:	SVCHOST.EXE
File opened (read-only)	\??\O:	SPOOLSV.EXE
File opened (read-only)	\??\S:	CTFMON.EXE
File opened (read-only)	\??\Z:	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
File opened (read-only)	\??\G:	CTFMON.EXE
File opened (read-only)	\??\M:	CTFMON.EXE
File opened (read-only)	\??\Z:	CTFMON.EXE
File opened (read-only)	\??\G:	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
File opened (read-only)	\??\F:	SPOOLSV.EXE
File opened (read-only)	\??\N:	CTFMON.EXE
File opened (read-only)	\??\F:	SVCHOST.EXE
File opened (read-only)	\??\R:	SVCHOST.EXE
File opened (read-only)	\??\T:	SVCHOST.EXE
File opened (read-only)	\??\U:	SVCHOST.EXE
File opened (read-only)	\??\L:	SPOOLSV.EXE
File opened (read-only)	\??\V:	SPOOLSV.EXE
File opened (read-only)	\??\T:	CTFMON.EXE
File opened (read-only)	\??\Y:	CTFMON.EXE
File opened (read-only)	\??\O:	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
File opened (read-only)	\??\L:	SVCHOST.EXE
File opened (read-only)	\??\N:	SVCHOST.EXE
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\Z:	SVCHOST.EXE
File opened (read-only)	\??\J:	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
File opened (read-only)	\??\M:	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
File opened (read-only)	\??\P:	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
File opened (read-only)	\??\T:	SPOOLSV.EXE
File opened (read-only)	\??\L:	CTFMON.EXE
File opened (read-only)	\??\E:	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
File opened (read-only)	\??\J:	SVCHOST.EXE
File opened (read-only)	\??\K:	SVCHOST.EXE
File opened (read-only)	\??\Y:	SPOOLSV.EXE
File opened (read-only)	\??\I:	CTFMON.EXE

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\Root\VFS\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\docicon.exe	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 29 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\QuickTip = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\TileInfo = "prop:Type;Size"	CTFMON.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL\COMMAND	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\TileInfo = "prop:Type;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\InfoTip = "prop:Type;Write;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	CTFMON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe"	CTFMON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\InfoTip = "prop:Type;Write;Size"	CTFMON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe"	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\QuickTip = "prop:Type;Size"	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\TileInfo = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\QuickTip = "prop:Type;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\TileInfo = "prop:Type;Size"	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\QuickTip = "prop:Type;Size"	CTFMON.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	CTFMON.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG\COMMAND	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\InfoTip = "prop:Type;Write;Size"	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
832	WINWORD.EXE
832	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2024	CTFMON.EXE
2024	CTFMON.EXE
2024	CTFMON.EXE
2024	CTFMON.EXE
2024	CTFMON.EXE
2024	CTFMON.EXE
2024	CTFMON.EXE
2024	CTFMON.EXE
2024	CTFMON.EXE
2024	CTFMON.EXE
2024	CTFMON.EXE
2024	CTFMON.EXE
4176	SPOOLSV.EXE
4176	SPOOLSV.EXE
4176	SPOOLSV.EXE
4176	SPOOLSV.EXE
4176	SPOOLSV.EXE
4176	SPOOLSV.EXE
4176	SPOOLSV.EXE
4176	SPOOLSV.EXE
4176	SPOOLSV.EXE
4176	SPOOLSV.EXE
4176	SPOOLSV.EXE
4176	SPOOLSV.EXE
4176	SPOOLSV.EXE
4176	SPOOLSV.EXE
4176	SPOOLSV.EXE
4176	SPOOLSV.EXE
4176	SPOOLSV.EXE
4176	SPOOLSV.EXE
4176	SPOOLSV.EXE
4176	SPOOLSV.EXE
4176	SPOOLSV.EXE
4176	SPOOLSV.EXE
4176	SPOOLSV.EXE
4176	SPOOLSV.EXE
1312	SVCHOST.EXE
1312	SVCHOST.EXE
1312	SVCHOST.EXE
1312	SVCHOST.EXE
1312	SVCHOST.EXE
1312	SVCHOST.EXE
1312	SVCHOST.EXE
1312	SVCHOST.EXE
1312	SVCHOST.EXE
1312	SVCHOST.EXE
1312	SVCHOST.EXE
1312	SVCHOST.EXE
1312	SVCHOST.EXE
1312	SVCHOST.EXE
1312	SVCHOST.EXE
1312	SVCHOST.EXE
1312	SVCHOST.EXE
1312	SVCHOST.EXE
1312	SVCHOST.EXE
1312	SVCHOST.EXE
2024	CTFMON.EXE
2024	CTFMON.EXE
1312	SVCHOST.EXE
1312	SVCHOST.EXE
2024	CTFMON.EXE
2024	CTFMON.EXE
1312	SVCHOST.EXE
1312	SVCHOST.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
832	WINWORD.EXE
832	WINWORD.EXE

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
2696	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
1312	SVCHOST.EXE
4276	SVCHOST.EXE
4176	SPOOLSV.EXE
4576	SVCHOST.EXE
3536	SPOOLSV.EXE
2024	CTFMON.EXE
1156	SVCHOST.EXE
4288	SPOOLSV.EXE
208	CTFMON.EXE
2156	CTFMON.EXE
4536	SPOOLSV.EXE
3932	CTFMON.EXE
832	WINWORD.EXE
832	WINWORD.EXE
832	WINWORD.EXE
832	WINWORD.EXE
832	WINWORD.EXE
832	WINWORD.EXE
832	WINWORD.EXE
832	WINWORD.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 1312	2696	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe	84
PID 2696 wrote to memory of 1312	2696	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe	84
PID 2696 wrote to memory of 1312	2696	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe	84
PID 1312 wrote to memory of 4276	1312	SVCHOST.EXE	85
PID 1312 wrote to memory of 4276	1312	SVCHOST.EXE	85
PID 1312 wrote to memory of 4276	1312	SVCHOST.EXE	85
PID 1312 wrote to memory of 4176	1312	SVCHOST.EXE	86
PID 1312 wrote to memory of 4176	1312	SVCHOST.EXE	86
PID 1312 wrote to memory of 4176	1312	SVCHOST.EXE	86
PID 4176 wrote to memory of 4576	4176	SPOOLSV.EXE	87
PID 4176 wrote to memory of 4576	4176	SPOOLSV.EXE	87
PID 4176 wrote to memory of 4576	4176	SPOOLSV.EXE	87
PID 4176 wrote to memory of 3536	4176	SPOOLSV.EXE	88
PID 4176 wrote to memory of 3536	4176	SPOOLSV.EXE	88
PID 4176 wrote to memory of 3536	4176	SPOOLSV.EXE	88
PID 4176 wrote to memory of 2024	4176	SPOOLSV.EXE	89
PID 4176 wrote to memory of 2024	4176	SPOOLSV.EXE	89
PID 4176 wrote to memory of 2024	4176	SPOOLSV.EXE	89
PID 2024 wrote to memory of 1156	2024	CTFMON.EXE	90
PID 2024 wrote to memory of 1156	2024	CTFMON.EXE	90
PID 2024 wrote to memory of 1156	2024	CTFMON.EXE	90
PID 2024 wrote to memory of 4288	2024	CTFMON.EXE	91
PID 2024 wrote to memory of 4288	2024	CTFMON.EXE	91
PID 2024 wrote to memory of 4288	2024	CTFMON.EXE	91
PID 2024 wrote to memory of 208	2024	CTFMON.EXE	92
PID 2024 wrote to memory of 208	2024	CTFMON.EXE	92
PID 2024 wrote to memory of 208	2024	CTFMON.EXE	92
PID 1312 wrote to memory of 2156	1312	SVCHOST.EXE	93
PID 1312 wrote to memory of 2156	1312	SVCHOST.EXE	93
PID 1312 wrote to memory of 2156	1312	SVCHOST.EXE	93
PID 2696 wrote to memory of 4536	2696	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe	94
PID 2696 wrote to memory of 4536	2696	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe	94
PID 2696 wrote to memory of 4536	2696	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe	94
PID 2696 wrote to memory of 3932	2696	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe	95
PID 2696 wrote to memory of 3932	2696	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe	95
PID 2696 wrote to memory of 3932	2696	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe	95
PID 1312 wrote to memory of 3748	1312	SVCHOST.EXE	96
PID 1312 wrote to memory of 3748	1312	SVCHOST.EXE	96
PID 1312 wrote to memory of 3748	1312	SVCHOST.EXE	96
PID 3748 wrote to memory of 3224	3748	userinit.exe	97
PID 3748 wrote to memory of 3224	3748	userinit.exe	97
PID 3748 wrote to memory of 3224	3748	userinit.exe	97
PID 2696 wrote to memory of 832	2696	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe	99
PID 2696 wrote to memory of 832	2696	5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe	99

C:\Users\Admin\AppData\Local\Temp\5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe
"C:\Users\Admin\AppData\Local\Temp\5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696
- C:\recycled\SVCHOST.EXE
  C:\recycled\SVCHOST.EXE :agent
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\recycled\SVCHOST.EXE
    C:\recycled\SVCHOST.EXE :agent
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4276
- - C:\recycled\SPOOLSV.EXE
    C:\recycled\SPOOLSV.EXE :agent
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Enumerates connected drives
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4576
  - - C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3536
  - - C:\recycled\CTFMON.EXE
      C:\recycled\CTFMON.EXE :agent
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Enumerates connected drives
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2024
    - - C:\recycled\SVCHOST.EXE
        
        C:\recycled\SVCHOST.EXE :agent
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1156
    - - C:\recycled\SPOOLSV.EXE
        
        C:\recycled\SPOOLSV.EXE :agent
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4288
    - - C:\recycled\CTFMON.EXE
        
        C:\recycled\CTFMON.EXE :agent
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:208
- - C:\recycled\CTFMON.EXE
    C:\recycled\CTFMON.EXE :agent
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2156
- - C:\Windows\SysWOW64\userinit.exe
    C:\Windows\system32\userinit.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\Windows\SysWOW64\Explorer.exe
      Explorer.exe "C:\recycled\SVCHOST.exe"
      4⤵
      PID:3224
- C:\recycled\SPOOLSV.EXE
  C:\recycled\SPOOLSV.EXE :agent
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4536
- C:\recycled\CTFMON.EXE
  C:\recycled\CTFMON.EXE :agent
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3932
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5a323ac8f68192c38a384436e9cc48807af358881bc3d584b3b259f671d9e87b.doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:832

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery