7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95

Analysis

max time kernel
152s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
Size

45KB
MD5

26d925c763fbf9884e8e40aeeadcaeee
SHA1

2787780ec9cd357d3dec5eb2f9bb2fb2bdced57a
SHA256

7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95
SHA512

a4bc4293bae1df27539f32c2dc08a495d4cdd45d219bbe5c8b4f3931d245985a2ce7a194a698106fb0cce6c2141766ff1972281486b01e00604c49d413d93e67
SSDEEP

768:E1AuwHyeFo6NPIFAoslbf8eRYLGXdoIFbb5omuKWcbsvwnoT9D88888888888JXY:EOxyeFo6NPCAosxYyXdF5oy3VoKY

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	CTFMON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	CTFMON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SPOOLSV.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	CTFMON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SPOOLSV.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	CTFMON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe

Executes dropped EXE 12 IoCs

pid	Process
1612	SVCHOST.EXE
324	SVCHOST.EXE
904	SPOOLSV.EXE
1928	SVCHOST.EXE
1824	SPOOLSV.EXE
1808	CTFMON.EXE
1728	SVCHOST.EXE
432	SPOOLSV.EXE
1868	CTFMON.EXE
1692	CTFMON.EXE
520	SPOOLSV.EXE
1428	CTFMON.EXE

Loads dropped DLL 15 IoCs

pid	Process
848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
1612	SVCHOST.EXE
1612	SVCHOST.EXE
904	SPOOLSV.EXE
904	SPOOLSV.EXE
904	SPOOLSV.EXE
904	SPOOLSV.EXE
1808	CTFMON.EXE
1808	CTFMON.EXE
1808	CTFMON.EXE
1612	SVCHOST.EXE
848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Recycled\desktop.ini	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\Z:	SVCHOST.EXE
File opened (read-only)	\??\I:	SPOOLSV.EXE
File opened (read-only)	\??\S:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\W:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\Z:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\S:	SVCHOST.EXE
File opened (read-only)	\??\T:	CTFMON.EXE
File opened (read-only)	\??\Z:	CTFMON.EXE
File opened (read-only)	\??\P:	SPOOLSV.EXE
File opened (read-only)	\??\P:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\T:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\U:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\U:	SVCHOST.EXE
File opened (read-only)	\??\X:	SVCHOST.EXE
File opened (read-only)	\??\G:	SPOOLSV.EXE
File opened (read-only)	\??\N:	SPOOLSV.EXE
File opened (read-only)	\??\K:	CTFMON.EXE
File opened (read-only)	\??\Y:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\E:	SVCHOST.EXE
File opened (read-only)	\??\O:	SVCHOST.EXE
File opened (read-only)	\??\O:	CTFMON.EXE
File opened (read-only)	\??\S:	CTFMON.EXE
File opened (read-only)	\??\S:	SPOOLSV.EXE
File opened (read-only)	\??\J:	CTFMON.EXE
File opened (read-only)	\??\W:	CTFMON.EXE
File opened (read-only)	\??\V:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\Y:	SPOOLSV.EXE
File opened (read-only)	\??\X:	CTFMON.EXE
File opened (read-only)	\??\Y:	CTFMON.EXE
File opened (read-only)	\??\G:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\H:	SPOOLSV.EXE
File opened (read-only)	\??\L:	SPOOLSV.EXE
File opened (read-only)	\??\M:	SPOOLSV.EXE
File opened (read-only)	\??\Z:	SPOOLSV.EXE
File opened (read-only)	\??\N:	CTFMON.EXE
File opened (read-only)	\??\F:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\I:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\R:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\X:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\K:	SVCHOST.EXE
File opened (read-only)	\??\Q:	CTFMON.EXE
File opened (read-only)	\??\K:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\J:	SPOOLSV.EXE
File opened (read-only)	\??\V:	SPOOLSV.EXE
File opened (read-only)	\??\H:	CTFMON.EXE
File opened (read-only)	\??\R:	CTFMON.EXE
File opened (read-only)	\??\H:	SVCHOST.EXE
File opened (read-only)	\??\I:	SVCHOST.EXE
File opened (read-only)	\??\R:	SVCHOST.EXE
File opened (read-only)	\??\V:	SVCHOST.EXE
File opened (read-only)	\??\T:	SPOOLSV.EXE
File opened (read-only)	\??\X:	SPOOLSV.EXE
File opened (read-only)	\??\L:	CTFMON.EXE
File opened (read-only)	\??\R:	SPOOLSV.EXE
File opened (read-only)	\??\E:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\L:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\M:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\J:	SVCHOST.EXE
File opened (read-only)	\??\Q:	SVCHOST.EXE
File opened (read-only)	\??\Y:	SVCHOST.EXE
File opened (read-only)	\??\K:	SPOOLSV.EXE
File opened (read-only)	\??\W:	SPOOLSV.EXE
File opened (read-only)	\??\M:	CTFMON.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SVCHOST.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SPOOLSV.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	CTFMON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1624	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
904	SPOOLSV.EXE
904	SPOOLSV.EXE
904	SPOOLSV.EXE
904	SPOOLSV.EXE
904	SPOOLSV.EXE
904	SPOOLSV.EXE
904	SPOOLSV.EXE
904	SPOOLSV.EXE
1808	CTFMON.EXE
1808	CTFMON.EXE
1808	CTFMON.EXE
1808	CTFMON.EXE
1808	CTFMON.EXE
1808	CTFMON.EXE
1808	CTFMON.EXE
1808	CTFMON.EXE
1612	SVCHOST.EXE
1612	SVCHOST.EXE
1612	SVCHOST.EXE
1612	SVCHOST.EXE
1612	SVCHOST.EXE
1612	SVCHOST.EXE
1612	SVCHOST.EXE
1612	SVCHOST.EXE
1808	CTFMON.EXE
1808	CTFMON.EXE
1808	CTFMON.EXE
1808	CTFMON.EXE
904	SPOOLSV.EXE
904	SPOOLSV.EXE
904	SPOOLSV.EXE
904	SPOOLSV.EXE
848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
904	SPOOLSV.EXE
904	SPOOLSV.EXE
904	SPOOLSV.EXE
904	SPOOLSV.EXE
1808	CTFMON.EXE
1808	CTFMON.EXE
1808	CTFMON.EXE
1808	CTFMON.EXE
848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
1808	CTFMON.EXE
904	SPOOLSV.EXE
848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
1808	CTFMON.EXE
848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
904	SPOOLSV.EXE
848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
1808	CTFMON.EXE
904	SPOOLSV.EXE
1808	CTFMON.EXE
904	SPOOLSV.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
1612	SVCHOST.EXE
324	SVCHOST.EXE
904	SPOOLSV.EXE
1928	SVCHOST.EXE
1824	SPOOLSV.EXE
1808	CTFMON.EXE
1728	SVCHOST.EXE
432	SPOOLSV.EXE
1868	CTFMON.EXE
1692	CTFMON.EXE
520	SPOOLSV.EXE
1428	CTFMON.EXE
1624	WINWORD.EXE
1624	WINWORD.EXE

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 1612	848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe	26
PID 848 wrote to memory of 1612	848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe	26
PID 848 wrote to memory of 1612	848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe	26
PID 848 wrote to memory of 1612	848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe	26
PID 1612 wrote to memory of 324	1612	SVCHOST.EXE	27
PID 1612 wrote to memory of 324	1612	SVCHOST.EXE	27
PID 1612 wrote to memory of 324	1612	SVCHOST.EXE	27
PID 1612 wrote to memory of 324	1612	SVCHOST.EXE	27
PID 1612 wrote to memory of 904	1612	SVCHOST.EXE	28
PID 1612 wrote to memory of 904	1612	SVCHOST.EXE	28
PID 1612 wrote to memory of 904	1612	SVCHOST.EXE	28
PID 1612 wrote to memory of 904	1612	SVCHOST.EXE	28
PID 904 wrote to memory of 1928	904	SPOOLSV.EXE	29
PID 904 wrote to memory of 1928	904	SPOOLSV.EXE	29
PID 904 wrote to memory of 1928	904	SPOOLSV.EXE	29
PID 904 wrote to memory of 1928	904	SPOOLSV.EXE	29
PID 904 wrote to memory of 1824	904	SPOOLSV.EXE	30
PID 904 wrote to memory of 1824	904	SPOOLSV.EXE	30
PID 904 wrote to memory of 1824	904	SPOOLSV.EXE	30
PID 904 wrote to memory of 1824	904	SPOOLSV.EXE	30
PID 904 wrote to memory of 1808	904	SPOOLSV.EXE	31
PID 904 wrote to memory of 1808	904	SPOOLSV.EXE	31
PID 904 wrote to memory of 1808	904	SPOOLSV.EXE	31
PID 904 wrote to memory of 1808	904	SPOOLSV.EXE	31
PID 1808 wrote to memory of 1728	1808	CTFMON.EXE	32
PID 1808 wrote to memory of 1728	1808	CTFMON.EXE	32
PID 1808 wrote to memory of 1728	1808	CTFMON.EXE	32
PID 1808 wrote to memory of 1728	1808	CTFMON.EXE	32
PID 1808 wrote to memory of 432	1808	CTFMON.EXE	33
PID 1808 wrote to memory of 432	1808	CTFMON.EXE	33
PID 1808 wrote to memory of 432	1808	CTFMON.EXE	33
PID 1808 wrote to memory of 432	1808	CTFMON.EXE	33
PID 1808 wrote to memory of 1868	1808	CTFMON.EXE	34
PID 1808 wrote to memory of 1868	1808	CTFMON.EXE	34
PID 1808 wrote to memory of 1868	1808	CTFMON.EXE	34
PID 1808 wrote to memory of 1868	1808	CTFMON.EXE	34
PID 1612 wrote to memory of 1692	1612	SVCHOST.EXE	35
PID 1612 wrote to memory of 1692	1612	SVCHOST.EXE	35
PID 1612 wrote to memory of 1692	1612	SVCHOST.EXE	35
PID 1612 wrote to memory of 1692	1612	SVCHOST.EXE	35
PID 848 wrote to memory of 520	848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe	36
PID 848 wrote to memory of 520	848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe	36
PID 848 wrote to memory of 520	848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe	36
PID 848 wrote to memory of 520	848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe	36
PID 848 wrote to memory of 1428	848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe	37
PID 848 wrote to memory of 1428	848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe	37
PID 848 wrote to memory of 1428	848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe	37
PID 848 wrote to memory of 1428	848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe	37
PID 1612 wrote to memory of 852	1612	SVCHOST.EXE	38
PID 1612 wrote to memory of 852	1612	SVCHOST.EXE	38
PID 1612 wrote to memory of 852	1612	SVCHOST.EXE	38
PID 1612 wrote to memory of 852	1612	SVCHOST.EXE	38
PID 852 wrote to memory of 572	852	userinit.exe	39
PID 852 wrote to memory of 572	852	userinit.exe	39
PID 852 wrote to memory of 572	852	userinit.exe	39
PID 852 wrote to memory of 572	852	userinit.exe	39
PID 848 wrote to memory of 1624	848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe	41
PID 848 wrote to memory of 1624	848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe	41
PID 848 wrote to memory of 1624	848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe	41
PID 848 wrote to memory of 1624	848	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe	41

C:\Users\Admin\AppData\Local\Temp\7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
"C:\Users\Admin\AppData\Local\Temp\7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848
- C:\recycled\SVCHOST.EXE
  C:\recycled\SVCHOST.EXE :agent
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\recycled\SVCHOST.EXE
    C:\recycled\SVCHOST.EXE :agent
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:324
- - C:\recycled\SPOOLSV.EXE
    C:\recycled\SPOOLSV.EXE :agent
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1928
  - - C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1824
  - - C:\recycled\CTFMON.EXE
      C:\recycled\CTFMON.EXE :agent
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1808
    - - C:\recycled\SVCHOST.EXE
        
        C:\recycled\SVCHOST.EXE :agent
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1728
    - - C:\recycled\SPOOLSV.EXE
        
        C:\recycled\SPOOLSV.EXE :agent
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:432
    - - C:\recycled\CTFMON.EXE
        
        C:\recycled\CTFMON.EXE :agent
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1868
- - C:\recycled\CTFMON.EXE
    C:\recycled\CTFMON.EXE :agent
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1692
- - C:\Windows\SysWOW64\userinit.exe
    C:\Windows\system32\userinit.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:852
  - - C:\Windows\SysWOW64\Explorer.exe
      Explorer.exe "C:\recycled\SVCHOST.exe"
      4⤵
      PID:572
- C:\recycled\SPOOLSV.EXE
  C:\recycled\SPOOLSV.EXE :agent
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:520
- C:\recycled\CTFMON.EXE
  C:\recycled\CTFMON.EXE :agent
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1428
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.doc"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1624

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recycled\CTFMON.EXE

Filesize
45KB

MD5
b3cda1975baf66c298316bacbf484efb

SHA1
a3073fd11f95c496449aa68312353bc3a987a17b

SHA256
a4e363b757817303bcbb3e470069425e1297df97b3fe0ecc82aecc244780b33e

SHA512
b81564c2c6d18136e388048685a02c3d317d2cce385f291363f44c61eebbca4f19fc524a5769933cc5e7d88ad7308b5f1064ae1067867f255dc9828333b09455

Download Submit
C:\Recycled\CTFMON.EXE

Filesize
45KB

MD5
b3cda1975baf66c298316bacbf484efb

SHA1
a3073fd11f95c496449aa68312353bc3a987a17b

SHA256
a4e363b757817303bcbb3e470069425e1297df97b3fe0ecc82aecc244780b33e

SHA512
b81564c2c6d18136e388048685a02c3d317d2cce385f291363f44c61eebbca4f19fc524a5769933cc5e7d88ad7308b5f1064ae1067867f255dc9828333b09455

Download Submit
C:\Recycled\CTFMON.EXE

Filesize
45KB

MD5
b3cda1975baf66c298316bacbf484efb

SHA1
a3073fd11f95c496449aa68312353bc3a987a17b

SHA256
a4e363b757817303bcbb3e470069425e1297df97b3fe0ecc82aecc244780b33e

SHA512
b81564c2c6d18136e388048685a02c3d317d2cce385f291363f44c61eebbca4f19fc524a5769933cc5e7d88ad7308b5f1064ae1067867f255dc9828333b09455

Download Submit
C:\Recycled\CTFMON.EXE

Filesize
45KB

MD5
b3cda1975baf66c298316bacbf484efb

SHA1
a3073fd11f95c496449aa68312353bc3a987a17b

SHA256
a4e363b757817303bcbb3e470069425e1297df97b3fe0ecc82aecc244780b33e

SHA512
b81564c2c6d18136e388048685a02c3d317d2cce385f291363f44c61eebbca4f19fc524a5769933cc5e7d88ad7308b5f1064ae1067867f255dc9828333b09455

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
45KB

MD5
59cef9da8406f061e49ba80113a73214

SHA1
c736c92dfb43009b732d75eb30e083520f5792fc

SHA256
f179e7a69af74506e6afde2d7266162e49ba3c471f482a3cb1bc8accc8eb385b

SHA512
f912400dc3ccbc88bfe1f8d91f18c8ff5fe20a82505e848cb7fbce755a27d6e4769254bf061ae2bd28db11190b8a5011c9662181542c5acc1b38fd15f4c4855e

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
45KB

MD5
59cef9da8406f061e49ba80113a73214

SHA1
c736c92dfb43009b732d75eb30e083520f5792fc

SHA256
f179e7a69af74506e6afde2d7266162e49ba3c471f482a3cb1bc8accc8eb385b

SHA512
f912400dc3ccbc88bfe1f8d91f18c8ff5fe20a82505e848cb7fbce755a27d6e4769254bf061ae2bd28db11190b8a5011c9662181542c5acc1b38fd15f4c4855e

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
45KB

MD5
59cef9da8406f061e49ba80113a73214

SHA1
c736c92dfb43009b732d75eb30e083520f5792fc

SHA256
f179e7a69af74506e6afde2d7266162e49ba3c471f482a3cb1bc8accc8eb385b

SHA512
f912400dc3ccbc88bfe1f8d91f18c8ff5fe20a82505e848cb7fbce755a27d6e4769254bf061ae2bd28db11190b8a5011c9662181542c5acc1b38fd15f4c4855e

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
45KB

MD5
59cef9da8406f061e49ba80113a73214

SHA1
c736c92dfb43009b732d75eb30e083520f5792fc

SHA256
f179e7a69af74506e6afde2d7266162e49ba3c471f482a3cb1bc8accc8eb385b

SHA512
f912400dc3ccbc88bfe1f8d91f18c8ff5fe20a82505e848cb7fbce755a27d6e4769254bf061ae2bd28db11190b8a5011c9662181542c5acc1b38fd15f4c4855e

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
45KB

MD5
a2f2ad902317a255373112193d379f7a

SHA1
ef6748e1370ece12f407d58e6705df29a96d54fb

SHA256
f3111e7a7f2d891d8a5cf5f272c501e2ad8ac25e09199eca4409ccaa8d042fe7

SHA512
03dfaca581f7b0779a90c0b48fd30985840481a67093d50b164f9bbb36944c65615dcb88725359715838fb44366b5b5c5430e3e2c1d5a506807022ae1d2d12a4

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
45KB

MD5
a2f2ad902317a255373112193d379f7a

SHA1
ef6748e1370ece12f407d58e6705df29a96d54fb

SHA256
f3111e7a7f2d891d8a5cf5f272c501e2ad8ac25e09199eca4409ccaa8d042fe7

SHA512
03dfaca581f7b0779a90c0b48fd30985840481a67093d50b164f9bbb36944c65615dcb88725359715838fb44366b5b5c5430e3e2c1d5a506807022ae1d2d12a4

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
45KB

MD5
a2f2ad902317a255373112193d379f7a

SHA1
ef6748e1370ece12f407d58e6705df29a96d54fb

SHA256
f3111e7a7f2d891d8a5cf5f272c501e2ad8ac25e09199eca4409ccaa8d042fe7

SHA512
03dfaca581f7b0779a90c0b48fd30985840481a67093d50b164f9bbb36944c65615dcb88725359715838fb44366b5b5c5430e3e2c1d5a506807022ae1d2d12a4

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
45KB

MD5
a2f2ad902317a255373112193d379f7a

SHA1
ef6748e1370ece12f407d58e6705df29a96d54fb

SHA256
f3111e7a7f2d891d8a5cf5f272c501e2ad8ac25e09199eca4409ccaa8d042fe7

SHA512
03dfaca581f7b0779a90c0b48fd30985840481a67093d50b164f9bbb36944c65615dcb88725359715838fb44366b5b5c5430e3e2c1d5a506807022ae1d2d12a4

Download Submit
C:\Recycled\desktop.ini

Filesize
65B

MD5
ad0b0b4416f06af436328a3c12dc491b

SHA1
743c7ad130780de78ccbf75aa6f84298720ad3fa

SHA256
23521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416

SHA512
884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
1KB

MD5
0269b6347e473980c5378044ac67aa1f

SHA1
c3334de50e320ad8bce8398acff95c363d039245

SHA256
68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

SHA512
e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
1KB

MD5
0269b6347e473980c5378044ac67aa1f

SHA1
c3334de50e320ad8bce8398acff95c363d039245

SHA256
68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

SHA512
e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
1KB

MD5
0269b6347e473980c5378044ac67aa1f

SHA1
c3334de50e320ad8bce8398acff95c363d039245

SHA256
68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

SHA512
e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

Download Submit
C:\recycled\CTFMON.EXE

Filesize
45KB

MD5
b3cda1975baf66c298316bacbf484efb

SHA1
a3073fd11f95c496449aa68312353bc3a987a17b

SHA256
a4e363b757817303bcbb3e470069425e1297df97b3fe0ecc82aecc244780b33e

SHA512
b81564c2c6d18136e388048685a02c3d317d2cce385f291363f44c61eebbca4f19fc524a5769933cc5e7d88ad7308b5f1064ae1067867f255dc9828333b09455

Download Submit
C:\recycled\SPOOLSV.EXE

Filesize
45KB

MD5
59cef9da8406f061e49ba80113a73214

SHA1
c736c92dfb43009b732d75eb30e083520f5792fc

SHA256
f179e7a69af74506e6afde2d7266162e49ba3c471f482a3cb1bc8accc8eb385b

SHA512
f912400dc3ccbc88bfe1f8d91f18c8ff5fe20a82505e848cb7fbce755a27d6e4769254bf061ae2bd28db11190b8a5011c9662181542c5acc1b38fd15f4c4855e

Download Submit
C:\recycled\SVCHOST.exe

Filesize
45KB

MD5
a2f2ad902317a255373112193d379f7a

SHA1
ef6748e1370ece12f407d58e6705df29a96d54fb

SHA256
f3111e7a7f2d891d8a5cf5f272c501e2ad8ac25e09199eca4409ccaa8d042fe7

SHA512
03dfaca581f7b0779a90c0b48fd30985840481a67093d50b164f9bbb36944c65615dcb88725359715838fb44366b5b5c5430e3e2c1d5a506807022ae1d2d12a4

Download Submit
\Recycled\CTFMON.EXE

Filesize
45KB

MD5
b3cda1975baf66c298316bacbf484efb

SHA1
a3073fd11f95c496449aa68312353bc3a987a17b

SHA256
a4e363b757817303bcbb3e470069425e1297df97b3fe0ecc82aecc244780b33e

SHA512
b81564c2c6d18136e388048685a02c3d317d2cce385f291363f44c61eebbca4f19fc524a5769933cc5e7d88ad7308b5f1064ae1067867f255dc9828333b09455

Download Submit
\Recycled\CTFMON.EXE

Filesize
45KB

MD5
b3cda1975baf66c298316bacbf484efb

SHA1
a3073fd11f95c496449aa68312353bc3a987a17b

SHA256
a4e363b757817303bcbb3e470069425e1297df97b3fe0ecc82aecc244780b33e

SHA512
b81564c2c6d18136e388048685a02c3d317d2cce385f291363f44c61eebbca4f19fc524a5769933cc5e7d88ad7308b5f1064ae1067867f255dc9828333b09455

Download Submit
\Recycled\CTFMON.EXE

Filesize
45KB

MD5
b3cda1975baf66c298316bacbf484efb

SHA1
a3073fd11f95c496449aa68312353bc3a987a17b

SHA256
a4e363b757817303bcbb3e470069425e1297df97b3fe0ecc82aecc244780b33e

SHA512
b81564c2c6d18136e388048685a02c3d317d2cce385f291363f44c61eebbca4f19fc524a5769933cc5e7d88ad7308b5f1064ae1067867f255dc9828333b09455

Download Submit
\Recycled\CTFMON.EXE

Filesize
45KB

MD5
b3cda1975baf66c298316bacbf484efb

SHA1
a3073fd11f95c496449aa68312353bc3a987a17b

SHA256
a4e363b757817303bcbb3e470069425e1297df97b3fe0ecc82aecc244780b33e

SHA512
b81564c2c6d18136e388048685a02c3d317d2cce385f291363f44c61eebbca4f19fc524a5769933cc5e7d88ad7308b5f1064ae1067867f255dc9828333b09455

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
45KB

MD5
59cef9da8406f061e49ba80113a73214

SHA1
c736c92dfb43009b732d75eb30e083520f5792fc

SHA256
f179e7a69af74506e6afde2d7266162e49ba3c471f482a3cb1bc8accc8eb385b

SHA512
f912400dc3ccbc88bfe1f8d91f18c8ff5fe20a82505e848cb7fbce755a27d6e4769254bf061ae2bd28db11190b8a5011c9662181542c5acc1b38fd15f4c4855e

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
45KB

MD5
59cef9da8406f061e49ba80113a73214

SHA1
c736c92dfb43009b732d75eb30e083520f5792fc

SHA256
f179e7a69af74506e6afde2d7266162e49ba3c471f482a3cb1bc8accc8eb385b

SHA512
f912400dc3ccbc88bfe1f8d91f18c8ff5fe20a82505e848cb7fbce755a27d6e4769254bf061ae2bd28db11190b8a5011c9662181542c5acc1b38fd15f4c4855e

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
45KB

MD5
59cef9da8406f061e49ba80113a73214

SHA1
c736c92dfb43009b732d75eb30e083520f5792fc

SHA256
f179e7a69af74506e6afde2d7266162e49ba3c471f482a3cb1bc8accc8eb385b

SHA512
f912400dc3ccbc88bfe1f8d91f18c8ff5fe20a82505e848cb7fbce755a27d6e4769254bf061ae2bd28db11190b8a5011c9662181542c5acc1b38fd15f4c4855e

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
45KB

MD5
59cef9da8406f061e49ba80113a73214

SHA1
c736c92dfb43009b732d75eb30e083520f5792fc

SHA256
f179e7a69af74506e6afde2d7266162e49ba3c471f482a3cb1bc8accc8eb385b

SHA512
f912400dc3ccbc88bfe1f8d91f18c8ff5fe20a82505e848cb7fbce755a27d6e4769254bf061ae2bd28db11190b8a5011c9662181542c5acc1b38fd15f4c4855e

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
45KB

MD5
59cef9da8406f061e49ba80113a73214

SHA1
c736c92dfb43009b732d75eb30e083520f5792fc

SHA256
f179e7a69af74506e6afde2d7266162e49ba3c471f482a3cb1bc8accc8eb385b

SHA512
f912400dc3ccbc88bfe1f8d91f18c8ff5fe20a82505e848cb7fbce755a27d6e4769254bf061ae2bd28db11190b8a5011c9662181542c5acc1b38fd15f4c4855e

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
45KB

MD5
59cef9da8406f061e49ba80113a73214

SHA1
c736c92dfb43009b732d75eb30e083520f5792fc

SHA256
f179e7a69af74506e6afde2d7266162e49ba3c471f482a3cb1bc8accc8eb385b

SHA512
f912400dc3ccbc88bfe1f8d91f18c8ff5fe20a82505e848cb7fbce755a27d6e4769254bf061ae2bd28db11190b8a5011c9662181542c5acc1b38fd15f4c4855e

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
45KB

MD5
59cef9da8406f061e49ba80113a73214

SHA1
c736c92dfb43009b732d75eb30e083520f5792fc

SHA256
f179e7a69af74506e6afde2d7266162e49ba3c471f482a3cb1bc8accc8eb385b

SHA512
f912400dc3ccbc88bfe1f8d91f18c8ff5fe20a82505e848cb7fbce755a27d6e4769254bf061ae2bd28db11190b8a5011c9662181542c5acc1b38fd15f4c4855e

Download Submit
\Recycled\SVCHOST.EXE

Filesize
45KB

MD5
a2f2ad902317a255373112193d379f7a

SHA1
ef6748e1370ece12f407d58e6705df29a96d54fb

SHA256
f3111e7a7f2d891d8a5cf5f272c501e2ad8ac25e09199eca4409ccaa8d042fe7

SHA512
03dfaca581f7b0779a90c0b48fd30985840481a67093d50b164f9bbb36944c65615dcb88725359715838fb44366b5b5c5430e3e2c1d5a506807022ae1d2d12a4

Download Submit
\Recycled\SVCHOST.EXE

Filesize
45KB

MD5
a2f2ad902317a255373112193d379f7a

SHA1
ef6748e1370ece12f407d58e6705df29a96d54fb

SHA256
f3111e7a7f2d891d8a5cf5f272c501e2ad8ac25e09199eca4409ccaa8d042fe7

SHA512
03dfaca581f7b0779a90c0b48fd30985840481a67093d50b164f9bbb36944c65615dcb88725359715838fb44366b5b5c5430e3e2c1d5a506807022ae1d2d12a4

Download Submit
\Recycled\SVCHOST.EXE

Filesize
45KB

MD5
a2f2ad902317a255373112193d379f7a

SHA1
ef6748e1370ece12f407d58e6705df29a96d54fb

SHA256
f3111e7a7f2d891d8a5cf5f272c501e2ad8ac25e09199eca4409ccaa8d042fe7

SHA512
03dfaca581f7b0779a90c0b48fd30985840481a67093d50b164f9bbb36944c65615dcb88725359715838fb44366b5b5c5430e3e2c1d5a506807022ae1d2d12a4

Download Submit
\Recycled\SVCHOST.EXE

Filesize
45KB

MD5
a2f2ad902317a255373112193d379f7a

SHA1
ef6748e1370ece12f407d58e6705df29a96d54fb

SHA256
f3111e7a7f2d891d8a5cf5f272c501e2ad8ac25e09199eca4409ccaa8d042fe7

SHA512
03dfaca581f7b0779a90c0b48fd30985840481a67093d50b164f9bbb36944c65615dcb88725359715838fb44366b5b5c5430e3e2c1d5a506807022ae1d2d12a4

Download Submit
memory/324-73-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/432-119-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/520-138-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/552-150-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmp

Filesize
8KB

Download
memory/572-148-0x0000000074791000-0x0000000074793000-memory.dmp

Filesize
8KB

Download
memory/848-55-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/848-152-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/848-57-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/848-90-0x0000000002480000-0x000000000249A000-memory.dmp

Filesize
104KB

Download
memory/848-86-0x0000000002480000-0x000000000249A000-memory.dmp

Filesize
104KB

Download
memory/904-160-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/904-139-0x0000000000580000-0x000000000059A000-memory.dmp

Filesize
104KB

Download
memory/904-161-0x0000000000580000-0x000000000059A000-memory.dmp

Filesize
104KB

Download
memory/904-95-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1428-144-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1612-92-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1612-159-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1624-155-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1624-154-0x0000000070281000-0x0000000070283000-memory.dmp

Filesize
8KB

Download
memory/1624-157-0x000000007126D000-0x0000000071278000-memory.dmp

Filesize
44KB

Download
memory/1624-153-0x0000000072801000-0x0000000072804000-memory.dmp

Filesize
12KB

Download
memory/1624-158-0x000000007126D000-0x0000000071278000-memory.dmp

Filesize
44KB

Download
memory/1692-129-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1728-112-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1808-140-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1824-100-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1868-123-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1928-89-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download