2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897

Analysis

max time kernel
151s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
Size

42KB
MD5

748080737c5e82390029c4fead317fbf
SHA1

3fc1c1a20cc6749f92c2589b26bd7a277348dc02
SHA256

2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897
SHA512

5e411396d2453d735d6f54a52a0a3f5a3dd387b035316fba89491ab38115a0d0d02e7cd9e05faee32073522bc7a3a21b5e996056b9bd9fa32690dfd51efb92d6
SSDEEP

768:gSz0/XBwayCUOwV3TNZHdrPeqzEWvpbPwSMX6+w6pqZxLdeVgol9D8888888888F:BzOCay4wV339rPjzbpLwRJ9pSdoIQ

Score

10^/10

aspackv2 evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

SVCHOST.EXE2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exeCTFMON.EXESPOOLSV.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	CTFMON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	CTFMON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	SVCHOST.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

CTFMON.EXESPOOLSV.EXESVCHOST.EXE2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	CTFMON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SPOOLSV.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

CTFMON.EXESPOOLSV.EXESVCHOST.EXE2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	CTFMON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe

ASPack v2.12-2.42 35 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Recycled\SVCHOST.EXE	aspack_v212_v242
\Recycled\SVCHOST.EXE	aspack_v212_v242
C:\Recycled\SVCHOST.EXE	aspack_v212_v242
C:\Windows\Fonts\ Explorer.exe	aspack_v212_v242
C:\Recycled\SVCHOST.EXE	aspack_v212_v242
C:\recycled\SVCHOST.exe	aspack_v212_v242
\Recycled\SPOOLSV.EXE	aspack_v212_v242
C:\recycled\SPOOLSV.EXE	aspack_v212_v242
\Recycled\SPOOLSV.EXE	aspack_v212_v242
C:\Recycled\SPOOLSV.EXE	aspack_v212_v242
C:\Windows\Fonts\ Explorer.exe	aspack_v212_v242
\Recycled\SVCHOST.EXE	aspack_v212_v242
C:\Recycled\SVCHOST.EXE	aspack_v212_v242
behavioral1/memory/556-91-0x00000000003B0000-0x00000000003CA000-memory.dmp	aspack_v212_v242
\Recycled\SPOOLSV.EXE	aspack_v212_v242
C:\Recycled\SPOOLSV.EXE	aspack_v212_v242
\Recycled\CTFMON.EXE	aspack_v212_v242
C:\recycled\CTFMON.EXE	aspack_v212_v242
\Recycled\CTFMON.EXE	aspack_v212_v242
C:\Recycled\CTFMON.EXE	aspack_v212_v242
C:\Windows\Fonts\ Explorer.exe	aspack_v212_v242
\Recycled\SVCHOST.EXE	aspack_v212_v242
C:\Recycled\SVCHOST.EXE	aspack_v212_v242
\Recycled\SPOOLSV.EXE	aspack_v212_v242
\Recycled\SPOOLSV.EXE	aspack_v212_v242
C:\Recycled\SPOOLSV.EXE	aspack_v212_v242
C:\Recycled\CTFMON.EXE	aspack_v212_v242
\Recycled\CTFMON.EXE	aspack_v212_v242
C:\Recycled\CTFMON.EXE	aspack_v212_v242
\Recycled\SPOOLSV.EXE	aspack_v212_v242
\Recycled\SPOOLSV.EXE	aspack_v212_v242
C:\Recycled\SPOOLSV.EXE	aspack_v212_v242
C:\Recycled\CTFMON.EXE	aspack_v212_v242
\Recycled\CTFMON.EXE	aspack_v212_v242
behavioral1/memory/556-165-0x00000000003B0000-0x00000000003CA000-memory.dmp	aspack_v212_v242

Executes dropped EXE 12 IoCs

Processes:

SVCHOST.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXECTFMON.EXESPOOLSV.EXECTFMON.EXE

pid	process
648	SVCHOST.EXE
1008	SVCHOST.EXE
556	SPOOLSV.EXE
1556	SVCHOST.EXE
1580	SPOOLSV.EXE
364	CTFMON.EXE
1752	SVCHOST.EXE
1368	SPOOLSV.EXE
1764	CTFMON.EXE
1720	CTFMON.EXE
1072	SPOOLSV.EXE
1048	CTFMON.EXE

Loads dropped DLL 15 IoCs

Processes:

2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exeSVCHOST.EXESPOOLSV.EXECTFMON.EXE

pid	process
1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
648	SVCHOST.EXE
648	SVCHOST.EXE
556	SPOOLSV.EXE
556	SPOOLSV.EXE
556	SPOOLSV.EXE
556	SPOOLSV.EXE
364	CTFMON.EXE
364	CTFMON.EXE
364	CTFMON.EXE
648	SVCHOST.EXE
1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe

description ioc process

File opened for modification C:\Recycled\desktop.ini 2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe

description	ioc	process
File opened for modification	C:\Recycled\desktop.ini	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SPOOLSV.EXECTFMON.EXE2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exeSVCHOST.EXE

description	ioc	process
File opened (read-only)	\??\E:	SPOOLSV.EXE
File opened (read-only)	\??\Y:	CTFMON.EXE
File opened (read-only)	\??\H:	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
File opened (read-only)	\??\V:	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
File opened (read-only)	\??\E:	SVCHOST.EXE
File opened (read-only)	\??\L:	SPOOLSV.EXE
File opened (read-only)	\??\H:	CTFMON.EXE
File opened (read-only)	\??\L:	CTFMON.EXE
File opened (read-only)	\??\M:	CTFMON.EXE
File opened (read-only)	\??\F:	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
File opened (read-only)	\??\N:	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
File opened (read-only)	\??\Q:	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
File opened (read-only)	\??\Z:	SVCHOST.EXE
File opened (read-only)	\??\H:	SPOOLSV.EXE
File opened (read-only)	\??\E:	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
File opened (read-only)	\??\L:	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
File opened (read-only)	\??\S:	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
File opened (read-only)	\??\U:	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
File opened (read-only)	\??\R:	CTFMON.EXE
File opened (read-only)	\??\S:	CTFMON.EXE
File opened (read-only)	\??\T:	SPOOLSV.EXE
File opened (read-only)	\??\U:	SPOOLSV.EXE
File opened (read-only)	\??\Q:	CTFMON.EXE
File opened (read-only)	\??\V:	SVCHOST.EXE
File opened (read-only)	\??\S:	SPOOLSV.EXE
File opened (read-only)	\??\Z:	SPOOLSV.EXE
File opened (read-only)	\??\N:	CTFMON.EXE
File opened (read-only)	\??\O:	CTFMON.EXE
File opened (read-only)	\??\I:	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
File opened (read-only)	\??\K:	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
File opened (read-only)	\??\S:	SVCHOST.EXE
File opened (read-only)	\??\T:	CTFMON.EXE
File opened (read-only)	\??\I:	CTFMON.EXE
File opened (read-only)	\??\P:	CTFMON.EXE
File opened (read-only)	\??\P:	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
File opened (read-only)	\??\F:	SVCHOST.EXE
File opened (read-only)	\??\M:	SPOOLSV.EXE
File opened (read-only)	\??\J:	SPOOLSV.EXE
File opened (read-only)	\??\N:	SPOOLSV.EXE
File opened (read-only)	\??\Q:	SPOOLSV.EXE
File opened (read-only)	\??\Z:	CTFMON.EXE
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\L:	SVCHOST.EXE
File opened (read-only)	\??\O:	SVCHOST.EXE
File opened (read-only)	\??\P:	SPOOLSV.EXE
File opened (read-only)	\??\Y:	SPOOLSV.EXE
File opened (read-only)	\??\U:	CTFMON.EXE
File opened (read-only)	\??\M:	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
File opened (read-only)	\??\Y:	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
File opened (read-only)	\??\W:	SVCHOST.EXE
File opened (read-only)	\??\T:	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
File opened (read-only)	\??\F:	SPOOLSV.EXE
File opened (read-only)	\??\K:	SPOOLSV.EXE
File opened (read-only)	\??\K:	SVCHOST.EXE
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\U:	SVCHOST.EXE
File opened (read-only)	\??\O:	SPOOLSV.EXE
File opened (read-only)	\??\W:	SPOOLSV.EXE
File opened (read-only)	\??\G:	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
File opened (read-only)	\??\R:	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
File opened (read-only)	\??\Z:	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
File opened (read-only)	\??\V:	CTFMON.EXE
File opened (read-only)	\??\E:	CTFMON.EXE
File opened (read-only)	\??\J:	CTFMON.EXE

Drops file in Windows directory 6 IoCs

Processes:

2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exeSVCHOST.EXESPOOLSV.EXECTFMON.EXEWINWORD.EXE

description	ioc	process
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
File opened for modification	C:\Windows\Fonts\ Explorer.exe	SVCHOST.EXE
File opened for modification	C:\Windows\Fonts\ Explorer.exe	SPOOLSV.EXE
File opened for modification	C:\Windows\Fonts\ Explorer.exe	CTFMON.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\Fonts\ Explorer.exe	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exeCTFMON.EXESVCHOST.EXESPOOLSV.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL\COMMAND	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	CTFMON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SVCHOST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	CTFMON.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1728 WINWORD.EXE

pid	process
1728	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SPOOLSV.EXESVCHOST.EXECTFMON.EXE2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe

pid	process
556	SPOOLSV.EXE
556	SPOOLSV.EXE
556	SPOOLSV.EXE
556	SPOOLSV.EXE
648	SVCHOST.EXE
648	SVCHOST.EXE
648	SVCHOST.EXE
648	SVCHOST.EXE
364	CTFMON.EXE
364	CTFMON.EXE
364	CTFMON.EXE
364	CTFMON.EXE
1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
364	CTFMON.EXE
1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
364	CTFMON.EXE
1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
364	CTFMON.EXE
1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
364	CTFMON.EXE
1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
648	SVCHOST.EXE
648	SVCHOST.EXE
648	SVCHOST.EXE
648	SVCHOST.EXE
556	SPOOLSV.EXE
556	SPOOLSV.EXE
556	SPOOLSV.EXE
556	SPOOLSV.EXE
1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
556	SPOOLSV.EXE
364	CTFMON.EXE
648	SVCHOST.EXE
1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
364	CTFMON.EXE
1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
364	CTFMON.EXE
556	SPOOLSV.EXE
1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
648	SVCHOST.EXE
364	CTFMON.EXE
556	SPOOLSV.EXE
648	SVCHOST.EXE
556	SPOOLSV.EXE
648	SVCHOST.EXE
1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
364	CTFMON.EXE
1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
364	CTFMON.EXE
1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
364	CTFMON.EXE
1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
364	CTFMON.EXE
556	SPOOLSV.EXE
648	SVCHOST.EXE
556	SPOOLSV.EXE
648	SVCHOST.EXE
648	SVCHOST.EXE
648	SVCHOST.EXE
556	SPOOLSV.EXE
556	SPOOLSV.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exeSVCHOST.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXECTFMON.EXESPOOLSV.EXECTFMON.EXEWINWORD.EXE

pid	process
1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
648	SVCHOST.EXE
1008	SVCHOST.EXE
556	SPOOLSV.EXE
1556	SVCHOST.EXE
1580	SPOOLSV.EXE
364	CTFMON.EXE
1752	SVCHOST.EXE
1368	SPOOLSV.EXE
1764	CTFMON.EXE
1720	CTFMON.EXE
1072	SPOOLSV.EXE
1048	CTFMON.EXE
1728	WINWORD.EXE
1728	WINWORD.EXE

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exeSVCHOST.EXESPOOLSV.EXECTFMON.EXEWINWORD.EXE

description	pid	process	target process
PID 1104 wrote to memory of 648	1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe	SVCHOST.EXE
PID 1104 wrote to memory of 648	1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe	SVCHOST.EXE
PID 1104 wrote to memory of 648	1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe	SVCHOST.EXE
PID 1104 wrote to memory of 648	1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe	SVCHOST.EXE
PID 648 wrote to memory of 1008	648	SVCHOST.EXE	SVCHOST.EXE
PID 648 wrote to memory of 1008	648	SVCHOST.EXE	SVCHOST.EXE
PID 648 wrote to memory of 1008	648	SVCHOST.EXE	SVCHOST.EXE
PID 648 wrote to memory of 1008	648	SVCHOST.EXE	SVCHOST.EXE
PID 648 wrote to memory of 556	648	SVCHOST.EXE	SPOOLSV.EXE
PID 648 wrote to memory of 556	648	SVCHOST.EXE	SPOOLSV.EXE
PID 648 wrote to memory of 556	648	SVCHOST.EXE	SPOOLSV.EXE
PID 648 wrote to memory of 556	648	SVCHOST.EXE	SPOOLSV.EXE
PID 556 wrote to memory of 1556	556	SPOOLSV.EXE	SVCHOST.EXE
PID 556 wrote to memory of 1556	556	SPOOLSV.EXE	SVCHOST.EXE
PID 556 wrote to memory of 1556	556	SPOOLSV.EXE	SVCHOST.EXE
PID 556 wrote to memory of 1556	556	SPOOLSV.EXE	SVCHOST.EXE
PID 556 wrote to memory of 1580	556	SPOOLSV.EXE	SPOOLSV.EXE
PID 556 wrote to memory of 1580	556	SPOOLSV.EXE	SPOOLSV.EXE
PID 556 wrote to memory of 1580	556	SPOOLSV.EXE	SPOOLSV.EXE
PID 556 wrote to memory of 1580	556	SPOOLSV.EXE	SPOOLSV.EXE
PID 556 wrote to memory of 364	556	SPOOLSV.EXE	CTFMON.EXE
PID 556 wrote to memory of 364	556	SPOOLSV.EXE	CTFMON.EXE
PID 556 wrote to memory of 364	556	SPOOLSV.EXE	CTFMON.EXE
PID 556 wrote to memory of 364	556	SPOOLSV.EXE	CTFMON.EXE
PID 364 wrote to memory of 1752	364	CTFMON.EXE	SVCHOST.EXE
PID 364 wrote to memory of 1752	364	CTFMON.EXE	SVCHOST.EXE
PID 364 wrote to memory of 1752	364	CTFMON.EXE	SVCHOST.EXE
PID 364 wrote to memory of 1752	364	CTFMON.EXE	SVCHOST.EXE
PID 364 wrote to memory of 1368	364	CTFMON.EXE	SPOOLSV.EXE
PID 364 wrote to memory of 1368	364	CTFMON.EXE	SPOOLSV.EXE
PID 364 wrote to memory of 1368	364	CTFMON.EXE	SPOOLSV.EXE
PID 364 wrote to memory of 1368	364	CTFMON.EXE	SPOOLSV.EXE
PID 364 wrote to memory of 1764	364	CTFMON.EXE	CTFMON.EXE
PID 364 wrote to memory of 1764	364	CTFMON.EXE	CTFMON.EXE
PID 364 wrote to memory of 1764	364	CTFMON.EXE	CTFMON.EXE
PID 364 wrote to memory of 1764	364	CTFMON.EXE	CTFMON.EXE
PID 648 wrote to memory of 1720	648	SVCHOST.EXE	CTFMON.EXE
PID 648 wrote to memory of 1720	648	SVCHOST.EXE	CTFMON.EXE
PID 648 wrote to memory of 1720	648	SVCHOST.EXE	CTFMON.EXE
PID 648 wrote to memory of 1720	648	SVCHOST.EXE	CTFMON.EXE
PID 1104 wrote to memory of 1072	1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe	SPOOLSV.EXE
PID 1104 wrote to memory of 1072	1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe	SPOOLSV.EXE
PID 1104 wrote to memory of 1072	1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe	SPOOLSV.EXE
PID 1104 wrote to memory of 1072	1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe	SPOOLSV.EXE
PID 1104 wrote to memory of 1048	1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe	CTFMON.EXE
PID 1104 wrote to memory of 1048	1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe	CTFMON.EXE
PID 1104 wrote to memory of 1048	1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe	CTFMON.EXE
PID 1104 wrote to memory of 1048	1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe	CTFMON.EXE
PID 1104 wrote to memory of 1728	1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe	WINWORD.EXE
PID 1104 wrote to memory of 1728	1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe	WINWORD.EXE
PID 1104 wrote to memory of 1728	1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe	WINWORD.EXE
PID 1104 wrote to memory of 1728	1104	2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe	WINWORD.EXE
PID 1728 wrote to memory of 1820	1728	WINWORD.EXE	splwow64.exe
PID 1728 wrote to memory of 1820	1728	WINWORD.EXE	splwow64.exe
PID 1728 wrote to memory of 1820	1728	WINWORD.EXE	splwow64.exe
PID 1728 wrote to memory of 1820	1728	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe
"C:\Users\Admin\AppData\Local\Temp\2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104

C:\recycled\SVCHOST.EXE
C:\recycled\SVCHOST.EXE :agent
2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:648

C:\recycled\SVCHOST.EXE
C:\recycled\SVCHOST.EXE :agent
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1008

C:\recycled\SPOOLSV.EXE
C:\recycled\SPOOLSV.EXE :agent
3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:556

C:\recycled\SVCHOST.EXE
C:\recycled\SVCHOST.EXE :agent
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1556

C:\recycled\SPOOLSV.EXE
C:\recycled\SPOOLSV.EXE :agent
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1580

C:\recycled\CTFMON.EXE
C:\recycled\CTFMON.EXE :agent
4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:364

C:\recycled\SVCHOST.EXE
C:\recycled\SVCHOST.EXE :agent
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1752

C:\recycled\SPOOLSV.EXE
C:\recycled\SPOOLSV.EXE :agent
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1368

C:\recycled\CTFMON.EXE
C:\recycled\CTFMON.EXE :agent
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1764

C:\recycled\CTFMON.EXE
C:\recycled\CTFMON.EXE :agent
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1720

C:\recycled\SPOOLSV.EXE
C:\recycled\SPOOLSV.EXE :agent
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1072

C:\recycled\CTFMON.EXE
C:\recycled\CTFMON.EXE :agent
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1048

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2524aab82b6b4458ebd9547641afbd36061f08d43d37fc6f7965b493466d7897.doc"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recycled\CTFMON.EXE

Filesize
42KB

MD5
33d28602605ffb0c161e8004d3638b20

SHA1
e4629401d275bf9514cd3d482d977834475c7bf6

SHA256
917fd8a758df5a77f2c496bf1a5526fd918b18a6beb5e4dbada5ab0b71fecda0

SHA512
00121202a81433c68d143a6f79b197cac89c5b5ba00c27a9d006502d803fb081b3efc77ea1f279370074a95fc5edb3e5d9c9cfd57d6875a07277a6674a383741

Download Submit
C:\Recycled\CTFMON.EXE

Filesize
42KB

MD5
33d28602605ffb0c161e8004d3638b20

SHA1
e4629401d275bf9514cd3d482d977834475c7bf6

SHA256
917fd8a758df5a77f2c496bf1a5526fd918b18a6beb5e4dbada5ab0b71fecda0

SHA512
00121202a81433c68d143a6f79b197cac89c5b5ba00c27a9d006502d803fb081b3efc77ea1f279370074a95fc5edb3e5d9c9cfd57d6875a07277a6674a383741

Download Submit
C:\Recycled\CTFMON.EXE

Filesize
42KB

MD5
33d28602605ffb0c161e8004d3638b20

SHA1
e4629401d275bf9514cd3d482d977834475c7bf6

SHA256
917fd8a758df5a77f2c496bf1a5526fd918b18a6beb5e4dbada5ab0b71fecda0

SHA512
00121202a81433c68d143a6f79b197cac89c5b5ba00c27a9d006502d803fb081b3efc77ea1f279370074a95fc5edb3e5d9c9cfd57d6875a07277a6674a383741

Download Submit
C:\Recycled\CTFMON.EXE

Filesize
42KB

MD5
33d28602605ffb0c161e8004d3638b20

SHA1
e4629401d275bf9514cd3d482d977834475c7bf6

SHA256
917fd8a758df5a77f2c496bf1a5526fd918b18a6beb5e4dbada5ab0b71fecda0

SHA512
00121202a81433c68d143a6f79b197cac89c5b5ba00c27a9d006502d803fb081b3efc77ea1f279370074a95fc5edb3e5d9c9cfd57d6875a07277a6674a383741

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
90163b16bbe287b54e42d88f78acbed9

SHA1
aea93a01dac2b39c8f33021175371a077d4b3dad

SHA256
572c646b5837630173892f9710a88568e4ff0febeab867a8b9ebf04c6e404cf9

SHA512
c85f302ec8f4f406d259d43d7d650ffdda1088b633655f14567392498b64fc96bdf447c96fe9e980ceb33ad30440b90a99aa9f8192aec741118a8295f08ddcb4

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
90163b16bbe287b54e42d88f78acbed9

SHA1
aea93a01dac2b39c8f33021175371a077d4b3dad

SHA256
572c646b5837630173892f9710a88568e4ff0febeab867a8b9ebf04c6e404cf9

SHA512
c85f302ec8f4f406d259d43d7d650ffdda1088b633655f14567392498b64fc96bdf447c96fe9e980ceb33ad30440b90a99aa9f8192aec741118a8295f08ddcb4

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
90163b16bbe287b54e42d88f78acbed9

SHA1
aea93a01dac2b39c8f33021175371a077d4b3dad

SHA256
572c646b5837630173892f9710a88568e4ff0febeab867a8b9ebf04c6e404cf9

SHA512
c85f302ec8f4f406d259d43d7d650ffdda1088b633655f14567392498b64fc96bdf447c96fe9e980ceb33ad30440b90a99aa9f8192aec741118a8295f08ddcb4

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
90163b16bbe287b54e42d88f78acbed9

SHA1
aea93a01dac2b39c8f33021175371a077d4b3dad

SHA256
572c646b5837630173892f9710a88568e4ff0febeab867a8b9ebf04c6e404cf9

SHA512
c85f302ec8f4f406d259d43d7d650ffdda1088b633655f14567392498b64fc96bdf447c96fe9e980ceb33ad30440b90a99aa9f8192aec741118a8295f08ddcb4

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
42KB

MD5
54a67ad8fdec49f43d927bab06f5ed94

SHA1
bb7142bdcb2e1c9089861153f028b850b93c464d

SHA256
344c0e4824660637fbfaeb0f458cfe2986a48d108a1391b875ae675ba1b63048

SHA512
5d2163abc5e17e89162551812a90216620cf2920a8b6128953bee8b7a4c4004ca14d4bfd6ba4ade19b81f1daad816c74cb6feda9d792baf52f8344f0904b8c06

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
42KB

MD5
54a67ad8fdec49f43d927bab06f5ed94

SHA1
bb7142bdcb2e1c9089861153f028b850b93c464d

SHA256
344c0e4824660637fbfaeb0f458cfe2986a48d108a1391b875ae675ba1b63048

SHA512
5d2163abc5e17e89162551812a90216620cf2920a8b6128953bee8b7a4c4004ca14d4bfd6ba4ade19b81f1daad816c74cb6feda9d792baf52f8344f0904b8c06

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
42KB

MD5
54a67ad8fdec49f43d927bab06f5ed94

SHA1
bb7142bdcb2e1c9089861153f028b850b93c464d

SHA256
344c0e4824660637fbfaeb0f458cfe2986a48d108a1391b875ae675ba1b63048

SHA512
5d2163abc5e17e89162551812a90216620cf2920a8b6128953bee8b7a4c4004ca14d4bfd6ba4ade19b81f1daad816c74cb6feda9d792baf52f8344f0904b8c06

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
42KB

MD5
54a67ad8fdec49f43d927bab06f5ed94

SHA1
bb7142bdcb2e1c9089861153f028b850b93c464d

SHA256
344c0e4824660637fbfaeb0f458cfe2986a48d108a1391b875ae675ba1b63048

SHA512
5d2163abc5e17e89162551812a90216620cf2920a8b6128953bee8b7a4c4004ca14d4bfd6ba4ade19b81f1daad816c74cb6feda9d792baf52f8344f0904b8c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
2KB

MD5
1a1dce35d60d2c70ca8894954fd5d384

SHA1
58547dd65d506c892290755010d0232da34ee000

SHA256
2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

SHA512
4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
2KB

MD5
1a1dce35d60d2c70ca8894954fd5d384

SHA1
58547dd65d506c892290755010d0232da34ee000

SHA256
2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

SHA512
4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
2KB

MD5
1a1dce35d60d2c70ca8894954fd5d384

SHA1
58547dd65d506c892290755010d0232da34ee000

SHA256
2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

SHA512
4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

Download Submit
C:\Windows\Fonts\ Explorer.exe

Filesize
42KB

MD5
412387a7e2dd4f7b3257bcd01e10a4df

SHA1
7adc1b7a4d0ea1761c83e6d791bee3e92f2307a5

SHA256
8a76a28566177a19d03d83dc5d9b61d065ab1fee011005f965bd86a3e3a1dc4f

SHA512
e473430466cb0de879e40c936a3cdaac8aeb7b44a021c77d7586f2e9195ae16c12d344c8cbd7996ce27d1b58ddefdc4c9726134cb753f570fba17ef3ccbac488

Download Submit
C:\Windows\Fonts\ Explorer.exe

Filesize
42KB

MD5
0fc971e13c2b225325cb29baa2712876

SHA1
05e9e0d85ce030e9c48907e5b4967e69e0976ac6

SHA256
9a03920932bdc5c5af8ff3cb56f8494aa88c9e4186793a12e40921cac674cf20

SHA512
ecdd3112bd088d1324aadd7ae4894d481ea8cc1f2d9fed0b1150496a4993e5f340c6ca24fae8bcd55581a43d6fe69a137a3f957beb61b23ba91091799ec263a9

Download Submit
C:\Windows\Fonts\ Explorer.exe

Filesize
42KB

MD5
412387a7e2dd4f7b3257bcd01e10a4df

SHA1
7adc1b7a4d0ea1761c83e6d791bee3e92f2307a5

SHA256
8a76a28566177a19d03d83dc5d9b61d065ab1fee011005f965bd86a3e3a1dc4f

SHA512
e473430466cb0de879e40c936a3cdaac8aeb7b44a021c77d7586f2e9195ae16c12d344c8cbd7996ce27d1b58ddefdc4c9726134cb753f570fba17ef3ccbac488

Download Submit
C:\recycled\CTFMON.EXE

Filesize
42KB

MD5
33d28602605ffb0c161e8004d3638b20

SHA1
e4629401d275bf9514cd3d482d977834475c7bf6

SHA256
917fd8a758df5a77f2c496bf1a5526fd918b18a6beb5e4dbada5ab0b71fecda0

SHA512
00121202a81433c68d143a6f79b197cac89c5b5ba00c27a9d006502d803fb081b3efc77ea1f279370074a95fc5edb3e5d9c9cfd57d6875a07277a6674a383741

Download Submit
C:\recycled\SPOOLSV.EXE

Filesize
42KB

MD5
90163b16bbe287b54e42d88f78acbed9

SHA1
aea93a01dac2b39c8f33021175371a077d4b3dad

SHA256
572c646b5837630173892f9710a88568e4ff0febeab867a8b9ebf04c6e404cf9

SHA512
c85f302ec8f4f406d259d43d7d650ffdda1088b633655f14567392498b64fc96bdf447c96fe9e980ceb33ad30440b90a99aa9f8192aec741118a8295f08ddcb4

Download Submit
C:\recycled\SVCHOST.exe

Filesize
42KB

MD5
54a67ad8fdec49f43d927bab06f5ed94

SHA1
bb7142bdcb2e1c9089861153f028b850b93c464d

SHA256
344c0e4824660637fbfaeb0f458cfe2986a48d108a1391b875ae675ba1b63048

SHA512
5d2163abc5e17e89162551812a90216620cf2920a8b6128953bee8b7a4c4004ca14d4bfd6ba4ade19b81f1daad816c74cb6feda9d792baf52f8344f0904b8c06

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Recycled\CTFMON.EXE

Filesize
42KB

MD5
33d28602605ffb0c161e8004d3638b20

SHA1
e4629401d275bf9514cd3d482d977834475c7bf6

SHA256
917fd8a758df5a77f2c496bf1a5526fd918b18a6beb5e4dbada5ab0b71fecda0

SHA512
00121202a81433c68d143a6f79b197cac89c5b5ba00c27a9d006502d803fb081b3efc77ea1f279370074a95fc5edb3e5d9c9cfd57d6875a07277a6674a383741

Download Submit
\Recycled\CTFMON.EXE

Filesize
42KB

MD5
33d28602605ffb0c161e8004d3638b20

SHA1
e4629401d275bf9514cd3d482d977834475c7bf6

SHA256
917fd8a758df5a77f2c496bf1a5526fd918b18a6beb5e4dbada5ab0b71fecda0

SHA512
00121202a81433c68d143a6f79b197cac89c5b5ba00c27a9d006502d803fb081b3efc77ea1f279370074a95fc5edb3e5d9c9cfd57d6875a07277a6674a383741

Download Submit
\Recycled\CTFMON.EXE

Filesize
42KB

MD5
33d28602605ffb0c161e8004d3638b20

SHA1
e4629401d275bf9514cd3d482d977834475c7bf6

SHA256
917fd8a758df5a77f2c496bf1a5526fd918b18a6beb5e4dbada5ab0b71fecda0

SHA512
00121202a81433c68d143a6f79b197cac89c5b5ba00c27a9d006502d803fb081b3efc77ea1f279370074a95fc5edb3e5d9c9cfd57d6875a07277a6674a383741

Download Submit
\Recycled\CTFMON.EXE

Filesize
42KB

MD5
33d28602605ffb0c161e8004d3638b20

SHA1
e4629401d275bf9514cd3d482d977834475c7bf6

SHA256
917fd8a758df5a77f2c496bf1a5526fd918b18a6beb5e4dbada5ab0b71fecda0

SHA512
00121202a81433c68d143a6f79b197cac89c5b5ba00c27a9d006502d803fb081b3efc77ea1f279370074a95fc5edb3e5d9c9cfd57d6875a07277a6674a383741

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
90163b16bbe287b54e42d88f78acbed9

SHA1
aea93a01dac2b39c8f33021175371a077d4b3dad

SHA256
572c646b5837630173892f9710a88568e4ff0febeab867a8b9ebf04c6e404cf9

SHA512
c85f302ec8f4f406d259d43d7d650ffdda1088b633655f14567392498b64fc96bdf447c96fe9e980ceb33ad30440b90a99aa9f8192aec741118a8295f08ddcb4

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
90163b16bbe287b54e42d88f78acbed9

SHA1
aea93a01dac2b39c8f33021175371a077d4b3dad

SHA256
572c646b5837630173892f9710a88568e4ff0febeab867a8b9ebf04c6e404cf9

SHA512
c85f302ec8f4f406d259d43d7d650ffdda1088b633655f14567392498b64fc96bdf447c96fe9e980ceb33ad30440b90a99aa9f8192aec741118a8295f08ddcb4

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
90163b16bbe287b54e42d88f78acbed9

SHA1
aea93a01dac2b39c8f33021175371a077d4b3dad

SHA256
572c646b5837630173892f9710a88568e4ff0febeab867a8b9ebf04c6e404cf9

SHA512
c85f302ec8f4f406d259d43d7d650ffdda1088b633655f14567392498b64fc96bdf447c96fe9e980ceb33ad30440b90a99aa9f8192aec741118a8295f08ddcb4

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
90163b16bbe287b54e42d88f78acbed9

SHA1
aea93a01dac2b39c8f33021175371a077d4b3dad

SHA256
572c646b5837630173892f9710a88568e4ff0febeab867a8b9ebf04c6e404cf9

SHA512
c85f302ec8f4f406d259d43d7d650ffdda1088b633655f14567392498b64fc96bdf447c96fe9e980ceb33ad30440b90a99aa9f8192aec741118a8295f08ddcb4

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
90163b16bbe287b54e42d88f78acbed9

SHA1
aea93a01dac2b39c8f33021175371a077d4b3dad

SHA256
572c646b5837630173892f9710a88568e4ff0febeab867a8b9ebf04c6e404cf9

SHA512
c85f302ec8f4f406d259d43d7d650ffdda1088b633655f14567392498b64fc96bdf447c96fe9e980ceb33ad30440b90a99aa9f8192aec741118a8295f08ddcb4

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
90163b16bbe287b54e42d88f78acbed9

SHA1
aea93a01dac2b39c8f33021175371a077d4b3dad

SHA256
572c646b5837630173892f9710a88568e4ff0febeab867a8b9ebf04c6e404cf9

SHA512
c85f302ec8f4f406d259d43d7d650ffdda1088b633655f14567392498b64fc96bdf447c96fe9e980ceb33ad30440b90a99aa9f8192aec741118a8295f08ddcb4

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
42KB

MD5
90163b16bbe287b54e42d88f78acbed9

SHA1
aea93a01dac2b39c8f33021175371a077d4b3dad

SHA256
572c646b5837630173892f9710a88568e4ff0febeab867a8b9ebf04c6e404cf9

SHA512
c85f302ec8f4f406d259d43d7d650ffdda1088b633655f14567392498b64fc96bdf447c96fe9e980ceb33ad30440b90a99aa9f8192aec741118a8295f08ddcb4

Download Submit
\Recycled\SVCHOST.EXE

Filesize
42KB

MD5
54a67ad8fdec49f43d927bab06f5ed94

SHA1
bb7142bdcb2e1c9089861153f028b850b93c464d

SHA256
344c0e4824660637fbfaeb0f458cfe2986a48d108a1391b875ae675ba1b63048

SHA512
5d2163abc5e17e89162551812a90216620cf2920a8b6128953bee8b7a4c4004ca14d4bfd6ba4ade19b81f1daad816c74cb6feda9d792baf52f8344f0904b8c06

Download Submit
\Recycled\SVCHOST.EXE

Filesize
42KB

MD5
54a67ad8fdec49f43d927bab06f5ed94

SHA1
bb7142bdcb2e1c9089861153f028b850b93c464d

SHA256
344c0e4824660637fbfaeb0f458cfe2986a48d108a1391b875ae675ba1b63048

SHA512
5d2163abc5e17e89162551812a90216620cf2920a8b6128953bee8b7a4c4004ca14d4bfd6ba4ade19b81f1daad816c74cb6feda9d792baf52f8344f0904b8c06

Download Submit
\Recycled\SVCHOST.EXE

Filesize
42KB

MD5
54a67ad8fdec49f43d927bab06f5ed94

SHA1
bb7142bdcb2e1c9089861153f028b850b93c464d

SHA256
344c0e4824660637fbfaeb0f458cfe2986a48d108a1391b875ae675ba1b63048

SHA512
5d2163abc5e17e89162551812a90216620cf2920a8b6128953bee8b7a4c4004ca14d4bfd6ba4ade19b81f1daad816c74cb6feda9d792baf52f8344f0904b8c06

Download Submit
\Recycled\SVCHOST.EXE

Filesize
42KB

MD5
54a67ad8fdec49f43d927bab06f5ed94

SHA1
bb7142bdcb2e1c9089861153f028b850b93c464d

SHA256
344c0e4824660637fbfaeb0f458cfe2986a48d108a1391b875ae675ba1b63048

SHA512
5d2163abc5e17e89162551812a90216620cf2920a8b6128953bee8b7a4c4004ca14d4bfd6ba4ade19b81f1daad816c74cb6feda9d792baf52f8344f0904b8c06

Download Submit
memory/364-148-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/364-103-0x0000000000000000-mapping.dmp

Download
memory/556-165-0x00000000003B0000-0x00000000003CA000-memory.dmp

Filesize
104KB

Download
memory/556-76-0x0000000000000000-mapping.dmp

Download
memory/556-164-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/556-147-0x00000000003B0000-0x00000000003CA000-memory.dmp

Filesize
104KB

Download
memory/556-146-0x00000000003B0000-0x00000000003CA000-memory.dmp

Filesize
104KB

Download
memory/556-89-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/556-91-0x00000000003B0000-0x00000000003CA000-memory.dmp

Filesize
104KB

Download
memory/648-87-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/648-60-0x0000000000000000-mapping.dmp

Download
memory/648-163-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1008-72-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1008-68-0x0000000000000000-mapping.dmp

Download
memory/1048-141-0x0000000000000000-mapping.dmp

Download
memory/1048-145-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1072-139-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1072-135-0x0000000000000000-mapping.dmp

Download
memory/1104-86-0x0000000001C90000-0x0000000001CAA000-memory.dmp

Filesize
104KB

Download
memory/1104-57-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1104-151-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1104-149-0x00000000040E0000-0x00000000040EB000-memory.dmp

Filesize
44KB

Download
memory/1104-54-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1368-118-0x0000000000000000-mapping.dmp

Download
memory/1368-123-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1556-92-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1556-93-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1556-84-0x0000000000000000-mapping.dmp

Download
memory/1580-99-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1580-95-0x0000000000000000-mapping.dmp

Download
memory/1720-129-0x0000000000000000-mapping.dmp

Download
memory/1728-154-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1728-162-0x000000007130D000-0x0000000071318000-memory.dmp

Filesize
44KB

Download
memory/1728-153-0x0000000070321000-0x0000000070323000-memory.dmp

Filesize
8KB

Download
memory/1728-152-0x00000000728A1000-0x00000000728A4000-memory.dmp

Filesize
12KB

Download
memory/1728-156-0x000000007130D000-0x0000000071318000-memory.dmp

Filesize
44KB

Download
memory/1728-157-0x000000007130D000-0x0000000071318000-memory.dmp

Filesize
44KB

Download
memory/1728-161-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1728-150-0x0000000000000000-mapping.dmp

Download
memory/1752-111-0x0000000000000000-mapping.dmp

Download
memory/1752-115-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1764-127-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1764-122-0x0000000000000000-mapping.dmp

Download
memory/1820-159-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

Filesize
8KB

Download
memory/1820-158-0x0000000000000000-mapping.dmp

Download