7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f

Analysis

max time kernel
150s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
Size

45KB
MD5

2994abd723b58d66f299e850b6612407
SHA1

2ed7d52364bd8f0be095674a000fe6d9301a51d9
SHA256

7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f
SHA512

4692ef1d5ce7d6ebd2dcdf3dd93accf92d3001795e5efbd8f85c2ccee34495cca00f49aa5d7f659c7f24f1c55258f76d1bdeacb3f60175e1f0de236602f7c8af
SSDEEP

768:E1AuwHyeFo6NPIFAoslbf8eRYLGXdoIFbb5omuKWcbsvwnoT9D88888888888JXX:EOxyeFo6NPCAosxYyXdF5oy3VoKX

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	CTFMON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	CTFMON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SVCHOST.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	CTFMON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SPOOLSV.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	CTFMON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe

Executes dropped EXE 12 IoCs

pid	Process
1076	SVCHOST.EXE
2032	SVCHOST.EXE
956	SPOOLSV.EXE
1600	SVCHOST.EXE
552	SPOOLSV.EXE
1100	CTFMON.EXE
1336	SVCHOST.EXE
1196	SPOOLSV.EXE
1544	CTFMON.EXE
584	CTFMON.EXE
1148	SPOOLSV.EXE
1476	CTFMON.EXE

Loads dropped DLL 15 IoCs

pid	Process
864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
1076	SVCHOST.EXE
1076	SVCHOST.EXE
956	SPOOLSV.EXE
956	SPOOLSV.EXE
956	SPOOLSV.EXE
956	SPOOLSV.EXE
1100	CTFMON.EXE
1100	CTFMON.EXE
1100	CTFMON.EXE
1076	SVCHOST.EXE
864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Recycled\desktop.ini	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	SPOOLSV.EXE
File opened (read-only)	\??\W:	CTFMON.EXE
File opened (read-only)	\??\E:	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
File opened (read-only)	\??\I:	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
File opened (read-only)	\??\P:	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
File opened (read-only)	\??\H:	SVCHOST.EXE
File opened (read-only)	\??\X:	SVCHOST.EXE
File opened (read-only)	\??\Y:	SVCHOST.EXE
File opened (read-only)	\??\W:	SPOOLSV.EXE
File opened (read-only)	\??\F:	CTFMON.EXE
File opened (read-only)	\??\Q:	CTFMON.EXE
File opened (read-only)	\??\F:	SVCHOST.EXE
File opened (read-only)	\??\F:	SPOOLSV.EXE
File opened (read-only)	\??\U:	SPOOLSV.EXE
File opened (read-only)	\??\J:	CTFMON.EXE
File opened (read-only)	\??\L:	CTFMON.EXE
File opened (read-only)	\??\L:	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
File opened (read-only)	\??\X:	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
File opened (read-only)	\??\E:	SVCHOST.EXE
File opened (read-only)	\??\Q:	SVCHOST.EXE
File opened (read-only)	\??\Z:	SVCHOST.EXE
File opened (read-only)	\??\Z:	CTFMON.EXE
File opened (read-only)	\??\Z:	SPOOLSV.EXE
File opened (read-only)	\??\X:	CTFMON.EXE
File opened (read-only)	\??\I:	SPOOLSV.EXE
File opened (read-only)	\??\P:	SPOOLSV.EXE
File opened (read-only)	\??\X:	SPOOLSV.EXE
File opened (read-only)	\??\H:	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
File opened (read-only)	\??\M:	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
File opened (read-only)	\??\O:	SVCHOST.EXE
File opened (read-only)	\??\R:	SVCHOST.EXE
File opened (read-only)	\??\V:	SVCHOST.EXE
File opened (read-only)	\??\H:	CTFMON.EXE
File opened (read-only)	\??\N:	SPOOLSV.EXE
File opened (read-only)	\??\S:	SPOOLSV.EXE
File opened (read-only)	\??\G:	CTFMON.EXE
File opened (read-only)	\??\J:	SVCHOST.EXE
File opened (read-only)	\??\K:	SVCHOST.EXE
File opened (read-only)	\??\M:	SVCHOST.EXE
File opened (read-only)	\??\U:	SVCHOST.EXE
File opened (read-only)	\??\G:	SPOOLSV.EXE
File opened (read-only)	\??\U:	CTFMON.EXE
File opened (read-only)	\??\K:	CTFMON.EXE
File opened (read-only)	\??\G:	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
File opened (read-only)	\??\T:	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
File opened (read-only)	\??\I:	SVCHOST.EXE
File opened (read-only)	\??\L:	SPOOLSV.EXE
File opened (read-only)	\??\T:	SPOOLSV.EXE
File opened (read-only)	\??\O:	CTFMON.EXE
File opened (read-only)	\??\J:	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
File opened (read-only)	\??\Y:	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
File opened (read-only)	\??\Z:	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
File opened (read-only)	\??\E:	SPOOLSV.EXE
File opened (read-only)	\??\O:	SPOOLSV.EXE
File opened (read-only)	\??\V:	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
File opened (read-only)	\??\N:	SVCHOST.EXE
File opened (read-only)	\??\J:	SPOOLSV.EXE
File opened (read-only)	\??\O:	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
File opened (read-only)	\??\U:	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
File opened (read-only)	\??\W:	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
File opened (read-only)	\??\V:	SPOOLSV.EXE
File opened (read-only)	\??\M:	CTFMON.EXE
File opened (read-only)	\??\R:	CTFMON.EXE
File opened (read-only)	\??\T:	CTFMON.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	CTFMON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	CTFMON.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	CTFMON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SVCHOST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SPOOLSV.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SPOOLSV.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	CTFMON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2036	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1100	CTFMON.EXE
1100	CTFMON.EXE
1100	CTFMON.EXE
1100	CTFMON.EXE
1100	CTFMON.EXE
1100	CTFMON.EXE
1100	CTFMON.EXE
1100	CTFMON.EXE
956	SPOOLSV.EXE
956	SPOOLSV.EXE
956	SPOOLSV.EXE
956	SPOOLSV.EXE
956	SPOOLSV.EXE
956	SPOOLSV.EXE
956	SPOOLSV.EXE
956	SPOOLSV.EXE
956	SPOOLSV.EXE
956	SPOOLSV.EXE
956	SPOOLSV.EXE
956	SPOOLSV.EXE
956	SPOOLSV.EXE
956	SPOOLSV.EXE
956	SPOOLSV.EXE
956	SPOOLSV.EXE
1100	CTFMON.EXE
1100	CTFMON.EXE
1100	CTFMON.EXE
1100	CTFMON.EXE
1076	SVCHOST.EXE
1076	SVCHOST.EXE
1076	SVCHOST.EXE
1076	SVCHOST.EXE
1076	SVCHOST.EXE
1076	SVCHOST.EXE
1076	SVCHOST.EXE
1076	SVCHOST.EXE
864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
956	SPOOLSV.EXE
1100	CTFMON.EXE
956	SPOOLSV.EXE
864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
956	SPOOLSV.EXE
956	SPOOLSV.EXE
1100	CTFMON.EXE
864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
1100	CTFMON.EXE
864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
1100	CTFMON.EXE
1100	CTFMON.EXE
1100	CTFMON.EXE
1100	CTFMON.EXE
1100	CTFMON.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
1076	SVCHOST.EXE
2032	SVCHOST.EXE
956	SPOOLSV.EXE
1600	SVCHOST.EXE
552	SPOOLSV.EXE
1100	CTFMON.EXE
1336	SVCHOST.EXE
1196	SPOOLSV.EXE
1544	CTFMON.EXE
584	CTFMON.EXE
1148	SPOOLSV.EXE
1476	CTFMON.EXE
2036	WINWORD.EXE
2036	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1076	864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe	27
PID 864 wrote to memory of 1076	864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe	27
PID 864 wrote to memory of 1076	864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe	27
PID 864 wrote to memory of 1076	864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe	27
PID 1076 wrote to memory of 2032	1076	SVCHOST.EXE	28
PID 1076 wrote to memory of 2032	1076	SVCHOST.EXE	28
PID 1076 wrote to memory of 2032	1076	SVCHOST.EXE	28
PID 1076 wrote to memory of 2032	1076	SVCHOST.EXE	28
PID 1076 wrote to memory of 956	1076	SVCHOST.EXE	29
PID 1076 wrote to memory of 956	1076	SVCHOST.EXE	29
PID 1076 wrote to memory of 956	1076	SVCHOST.EXE	29
PID 1076 wrote to memory of 956	1076	SVCHOST.EXE	29
PID 956 wrote to memory of 1600	956	SPOOLSV.EXE	30
PID 956 wrote to memory of 1600	956	SPOOLSV.EXE	30
PID 956 wrote to memory of 1600	956	SPOOLSV.EXE	30
PID 956 wrote to memory of 1600	956	SPOOLSV.EXE	30
PID 956 wrote to memory of 552	956	SPOOLSV.EXE	31
PID 956 wrote to memory of 552	956	SPOOLSV.EXE	31
PID 956 wrote to memory of 552	956	SPOOLSV.EXE	31
PID 956 wrote to memory of 552	956	SPOOLSV.EXE	31
PID 956 wrote to memory of 1100	956	SPOOLSV.EXE	32
PID 956 wrote to memory of 1100	956	SPOOLSV.EXE	32
PID 956 wrote to memory of 1100	956	SPOOLSV.EXE	32
PID 956 wrote to memory of 1100	956	SPOOLSV.EXE	32
PID 1100 wrote to memory of 1336	1100	CTFMON.EXE	33
PID 1100 wrote to memory of 1336	1100	CTFMON.EXE	33
PID 1100 wrote to memory of 1336	1100	CTFMON.EXE	33
PID 1100 wrote to memory of 1336	1100	CTFMON.EXE	33
PID 1100 wrote to memory of 1196	1100	CTFMON.EXE	34
PID 1100 wrote to memory of 1196	1100	CTFMON.EXE	34
PID 1100 wrote to memory of 1196	1100	CTFMON.EXE	34
PID 1100 wrote to memory of 1196	1100	CTFMON.EXE	34
PID 1100 wrote to memory of 1544	1100	CTFMON.EXE	35
PID 1100 wrote to memory of 1544	1100	CTFMON.EXE	35
PID 1100 wrote to memory of 1544	1100	CTFMON.EXE	35
PID 1100 wrote to memory of 1544	1100	CTFMON.EXE	35
PID 1076 wrote to memory of 584	1076	SVCHOST.EXE	36
PID 1076 wrote to memory of 584	1076	SVCHOST.EXE	36
PID 1076 wrote to memory of 584	1076	SVCHOST.EXE	36
PID 1076 wrote to memory of 584	1076	SVCHOST.EXE	36
PID 864 wrote to memory of 1148	864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe	37
PID 864 wrote to memory of 1148	864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe	37
PID 864 wrote to memory of 1148	864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe	37
PID 864 wrote to memory of 1148	864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe	37
PID 1076 wrote to memory of 1704	1076	SVCHOST.EXE	38
PID 1076 wrote to memory of 1704	1076	SVCHOST.EXE	38
PID 1076 wrote to memory of 1704	1076	SVCHOST.EXE	38
PID 1076 wrote to memory of 1704	1076	SVCHOST.EXE	38
PID 864 wrote to memory of 1476	864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe	39
PID 864 wrote to memory of 1476	864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe	39
PID 864 wrote to memory of 1476	864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe	39
PID 864 wrote to memory of 1476	864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe	39
PID 1704 wrote to memory of 1916	1704	userinit.exe	40
PID 1704 wrote to memory of 1916	1704	userinit.exe	40
PID 1704 wrote to memory of 1916	1704	userinit.exe	40
PID 1704 wrote to memory of 1916	1704	userinit.exe	40
PID 864 wrote to memory of 2036	864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe	42
PID 864 wrote to memory of 2036	864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe	42
PID 864 wrote to memory of 2036	864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe	42
PID 864 wrote to memory of 2036	864	7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe	42
PID 2036 wrote to memory of 1544	2036	WINWORD.EXE	45
PID 2036 wrote to memory of 1544	2036	WINWORD.EXE	45
PID 2036 wrote to memory of 1544	2036	WINWORD.EXE	45
PID 2036 wrote to memory of 1544	2036	WINWORD.EXE	45

C:\Users\Admin\AppData\Local\Temp\7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
"C:\Users\Admin\AppData\Local\Temp\7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:864
- C:\recycled\SVCHOST.EXE
  C:\recycled\SVCHOST.EXE :agent
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\recycled\SVCHOST.EXE
    C:\recycled\SVCHOST.EXE :agent
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2032
- - C:\recycled\SPOOLSV.EXE
    C:\recycled\SPOOLSV.EXE :agent
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:956
  - - C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1600
  - - C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:552
  - - C:\recycled\CTFMON.EXE
      C:\recycled\CTFMON.EXE :agent
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1100
    - - C:\recycled\SVCHOST.EXE
        
        C:\recycled\SVCHOST.EXE :agent
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1336
    - - C:\recycled\SPOOLSV.EXE
        
        C:\recycled\SPOOLSV.EXE :agent
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1196
    - - C:\recycled\CTFMON.EXE
        
        C:\recycled\CTFMON.EXE :agent
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1544
- - C:\recycled\CTFMON.EXE
    C:\recycled\CTFMON.EXE :agent
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:584
- - C:\Windows\SysWOW64\userinit.exe
    C:\Windows\system32\userinit.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\SysWOW64\Explorer.exe
      Explorer.exe "C:\recycled\SVCHOST.exe"
      4⤵
      PID:1916
- C:\recycled\SPOOLSV.EXE
  C:\recycled\SPOOLSV.EXE :agent
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1148
- C:\recycled\CTFMON.EXE
  C:\recycled\CTFMON.EXE :agent
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1476
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.doc"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1544

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recycled\CTFMON.EXE

Filesize
45KB

MD5
3de7740c073f70b284a5653ae53cab4d

SHA1
c4329b94b8b8ed13ce1a33cbe850326a49ba5bf6

SHA256
0f1cfbbd69cb80ae528fb3cd2dd3cab1d1967bd4ad50774a95c91031e708bd63

SHA512
3a62ce03ad788aac061a5b912a1fc7152608f58ed32b292ff95a30fb6775bca434d1da8e853e4c79bf55e1a96aba28ef1369e3614c7da208bce23572b2a00014

Download Submit
C:\Recycled\CTFMON.EXE

Filesize
45KB

MD5
3de7740c073f70b284a5653ae53cab4d

SHA1
c4329b94b8b8ed13ce1a33cbe850326a49ba5bf6

SHA256
0f1cfbbd69cb80ae528fb3cd2dd3cab1d1967bd4ad50774a95c91031e708bd63

SHA512
3a62ce03ad788aac061a5b912a1fc7152608f58ed32b292ff95a30fb6775bca434d1da8e853e4c79bf55e1a96aba28ef1369e3614c7da208bce23572b2a00014

Download Submit
C:\Recycled\CTFMON.EXE

Filesize
45KB

MD5
3de7740c073f70b284a5653ae53cab4d

SHA1
c4329b94b8b8ed13ce1a33cbe850326a49ba5bf6

SHA256
0f1cfbbd69cb80ae528fb3cd2dd3cab1d1967bd4ad50774a95c91031e708bd63

SHA512
3a62ce03ad788aac061a5b912a1fc7152608f58ed32b292ff95a30fb6775bca434d1da8e853e4c79bf55e1a96aba28ef1369e3614c7da208bce23572b2a00014

Download Submit
C:\Recycled\CTFMON.EXE

Filesize
45KB

MD5
3de7740c073f70b284a5653ae53cab4d

SHA1
c4329b94b8b8ed13ce1a33cbe850326a49ba5bf6

SHA256
0f1cfbbd69cb80ae528fb3cd2dd3cab1d1967bd4ad50774a95c91031e708bd63

SHA512
3a62ce03ad788aac061a5b912a1fc7152608f58ed32b292ff95a30fb6775bca434d1da8e853e4c79bf55e1a96aba28ef1369e3614c7da208bce23572b2a00014

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
45KB

MD5
0e3520e37aeb65e772e1637d0a8a7e1a

SHA1
4478414bb9dfc7c50924e517b969684e9193e2eb

SHA256
eb7953926a09574566464ec6cc6836c984c42c95911259ccba6d54ab37d1be5d

SHA512
0df5e474c4b6f6c60e0246654cfd656363ca3a2b4a3caa5d790c25bf009890b85ffca9b22edfba2a5d6fc8364ea925310fcfadaad6324fbb423c420dae060935

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
45KB

MD5
0e3520e37aeb65e772e1637d0a8a7e1a

SHA1
4478414bb9dfc7c50924e517b969684e9193e2eb

SHA256
eb7953926a09574566464ec6cc6836c984c42c95911259ccba6d54ab37d1be5d

SHA512
0df5e474c4b6f6c60e0246654cfd656363ca3a2b4a3caa5d790c25bf009890b85ffca9b22edfba2a5d6fc8364ea925310fcfadaad6324fbb423c420dae060935

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
45KB

MD5
0e3520e37aeb65e772e1637d0a8a7e1a

SHA1
4478414bb9dfc7c50924e517b969684e9193e2eb

SHA256
eb7953926a09574566464ec6cc6836c984c42c95911259ccba6d54ab37d1be5d

SHA512
0df5e474c4b6f6c60e0246654cfd656363ca3a2b4a3caa5d790c25bf009890b85ffca9b22edfba2a5d6fc8364ea925310fcfadaad6324fbb423c420dae060935

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
45KB

MD5
0e3520e37aeb65e772e1637d0a8a7e1a

SHA1
4478414bb9dfc7c50924e517b969684e9193e2eb

SHA256
eb7953926a09574566464ec6cc6836c984c42c95911259ccba6d54ab37d1be5d

SHA512
0df5e474c4b6f6c60e0246654cfd656363ca3a2b4a3caa5d790c25bf009890b85ffca9b22edfba2a5d6fc8364ea925310fcfadaad6324fbb423c420dae060935

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
45KB

MD5
fd188d675fa583e0bc0c906b0722cd96

SHA1
4dadd65fcf850f56d83d7ee12ebb37745090840e

SHA256
1ca3ab2def7ab7222079e96c80963e0953cd6a16ac4179693fca6bdce562be28

SHA512
3a2576d6ce3810a879bebf203b7ba708091f248e7cc0e2f74bc5e9fdf4465d1842d9ec73bf959340ac1bd2390c9012c776f63a5a90adb8eb7179a06ab9283361

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
45KB

MD5
fd188d675fa583e0bc0c906b0722cd96

SHA1
4dadd65fcf850f56d83d7ee12ebb37745090840e

SHA256
1ca3ab2def7ab7222079e96c80963e0953cd6a16ac4179693fca6bdce562be28

SHA512
3a2576d6ce3810a879bebf203b7ba708091f248e7cc0e2f74bc5e9fdf4465d1842d9ec73bf959340ac1bd2390c9012c776f63a5a90adb8eb7179a06ab9283361

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
45KB

MD5
fd188d675fa583e0bc0c906b0722cd96

SHA1
4dadd65fcf850f56d83d7ee12ebb37745090840e

SHA256
1ca3ab2def7ab7222079e96c80963e0953cd6a16ac4179693fca6bdce562be28

SHA512
3a2576d6ce3810a879bebf203b7ba708091f248e7cc0e2f74bc5e9fdf4465d1842d9ec73bf959340ac1bd2390c9012c776f63a5a90adb8eb7179a06ab9283361

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
45KB

MD5
fd188d675fa583e0bc0c906b0722cd96

SHA1
4dadd65fcf850f56d83d7ee12ebb37745090840e

SHA256
1ca3ab2def7ab7222079e96c80963e0953cd6a16ac4179693fca6bdce562be28

SHA512
3a2576d6ce3810a879bebf203b7ba708091f248e7cc0e2f74bc5e9fdf4465d1842d9ec73bf959340ac1bd2390c9012c776f63a5a90adb8eb7179a06ab9283361

Download Submit
C:\Recycled\desktop.ini

Filesize
65B

MD5
ad0b0b4416f06af436328a3c12dc491b

SHA1
743c7ad130780de78ccbf75aa6f84298720ad3fa

SHA256
23521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416

SHA512
884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
1KB

MD5
0269b6347e473980c5378044ac67aa1f

SHA1
c3334de50e320ad8bce8398acff95c363d039245

SHA256
68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

SHA512
e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
1KB

MD5
0269b6347e473980c5378044ac67aa1f

SHA1
c3334de50e320ad8bce8398acff95c363d039245

SHA256
68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

SHA512
e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
1KB

MD5
0269b6347e473980c5378044ac67aa1f

SHA1
c3334de50e320ad8bce8398acff95c363d039245

SHA256
68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

SHA512
e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

Download Submit
C:\recycled\CTFMON.EXE

Filesize
45KB

MD5
3de7740c073f70b284a5653ae53cab4d

SHA1
c4329b94b8b8ed13ce1a33cbe850326a49ba5bf6

SHA256
0f1cfbbd69cb80ae528fb3cd2dd3cab1d1967bd4ad50774a95c91031e708bd63

SHA512
3a62ce03ad788aac061a5b912a1fc7152608f58ed32b292ff95a30fb6775bca434d1da8e853e4c79bf55e1a96aba28ef1369e3614c7da208bce23572b2a00014

Download Submit
C:\recycled\SPOOLSV.EXE

Filesize
45KB

MD5
0e3520e37aeb65e772e1637d0a8a7e1a

SHA1
4478414bb9dfc7c50924e517b969684e9193e2eb

SHA256
eb7953926a09574566464ec6cc6836c984c42c95911259ccba6d54ab37d1be5d

SHA512
0df5e474c4b6f6c60e0246654cfd656363ca3a2b4a3caa5d790c25bf009890b85ffca9b22edfba2a5d6fc8364ea925310fcfadaad6324fbb423c420dae060935

Download Submit
C:\recycled\SVCHOST.exe

Filesize
45KB

MD5
fd188d675fa583e0bc0c906b0722cd96

SHA1
4dadd65fcf850f56d83d7ee12ebb37745090840e

SHA256
1ca3ab2def7ab7222079e96c80963e0953cd6a16ac4179693fca6bdce562be28

SHA512
3a2576d6ce3810a879bebf203b7ba708091f248e7cc0e2f74bc5e9fdf4465d1842d9ec73bf959340ac1bd2390c9012c776f63a5a90adb8eb7179a06ab9283361

Download Submit
\Recycled\CTFMON.EXE

Filesize
45KB

MD5
3de7740c073f70b284a5653ae53cab4d

SHA1
c4329b94b8b8ed13ce1a33cbe850326a49ba5bf6

SHA256
0f1cfbbd69cb80ae528fb3cd2dd3cab1d1967bd4ad50774a95c91031e708bd63

SHA512
3a62ce03ad788aac061a5b912a1fc7152608f58ed32b292ff95a30fb6775bca434d1da8e853e4c79bf55e1a96aba28ef1369e3614c7da208bce23572b2a00014

Download Submit
\Recycled\CTFMON.EXE

Filesize
45KB

MD5
3de7740c073f70b284a5653ae53cab4d

SHA1
c4329b94b8b8ed13ce1a33cbe850326a49ba5bf6

SHA256
0f1cfbbd69cb80ae528fb3cd2dd3cab1d1967bd4ad50774a95c91031e708bd63

SHA512
3a62ce03ad788aac061a5b912a1fc7152608f58ed32b292ff95a30fb6775bca434d1da8e853e4c79bf55e1a96aba28ef1369e3614c7da208bce23572b2a00014

Download Submit
\Recycled\CTFMON.EXE

Filesize
45KB

MD5
3de7740c073f70b284a5653ae53cab4d

SHA1
c4329b94b8b8ed13ce1a33cbe850326a49ba5bf6

SHA256
0f1cfbbd69cb80ae528fb3cd2dd3cab1d1967bd4ad50774a95c91031e708bd63

SHA512
3a62ce03ad788aac061a5b912a1fc7152608f58ed32b292ff95a30fb6775bca434d1da8e853e4c79bf55e1a96aba28ef1369e3614c7da208bce23572b2a00014

Download Submit
\Recycled\CTFMON.EXE

Filesize
45KB

MD5
3de7740c073f70b284a5653ae53cab4d

SHA1
c4329b94b8b8ed13ce1a33cbe850326a49ba5bf6

SHA256
0f1cfbbd69cb80ae528fb3cd2dd3cab1d1967bd4ad50774a95c91031e708bd63

SHA512
3a62ce03ad788aac061a5b912a1fc7152608f58ed32b292ff95a30fb6775bca434d1da8e853e4c79bf55e1a96aba28ef1369e3614c7da208bce23572b2a00014

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
45KB

MD5
0e3520e37aeb65e772e1637d0a8a7e1a

SHA1
4478414bb9dfc7c50924e517b969684e9193e2eb

SHA256
eb7953926a09574566464ec6cc6836c984c42c95911259ccba6d54ab37d1be5d

SHA512
0df5e474c4b6f6c60e0246654cfd656363ca3a2b4a3caa5d790c25bf009890b85ffca9b22edfba2a5d6fc8364ea925310fcfadaad6324fbb423c420dae060935

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
45KB

MD5
0e3520e37aeb65e772e1637d0a8a7e1a

SHA1
4478414bb9dfc7c50924e517b969684e9193e2eb

SHA256
eb7953926a09574566464ec6cc6836c984c42c95911259ccba6d54ab37d1be5d

SHA512
0df5e474c4b6f6c60e0246654cfd656363ca3a2b4a3caa5d790c25bf009890b85ffca9b22edfba2a5d6fc8364ea925310fcfadaad6324fbb423c420dae060935

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
45KB

MD5
0e3520e37aeb65e772e1637d0a8a7e1a

SHA1
4478414bb9dfc7c50924e517b969684e9193e2eb

SHA256
eb7953926a09574566464ec6cc6836c984c42c95911259ccba6d54ab37d1be5d

SHA512
0df5e474c4b6f6c60e0246654cfd656363ca3a2b4a3caa5d790c25bf009890b85ffca9b22edfba2a5d6fc8364ea925310fcfadaad6324fbb423c420dae060935

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
45KB

MD5
0e3520e37aeb65e772e1637d0a8a7e1a

SHA1
4478414bb9dfc7c50924e517b969684e9193e2eb

SHA256
eb7953926a09574566464ec6cc6836c984c42c95911259ccba6d54ab37d1be5d

SHA512
0df5e474c4b6f6c60e0246654cfd656363ca3a2b4a3caa5d790c25bf009890b85ffca9b22edfba2a5d6fc8364ea925310fcfadaad6324fbb423c420dae060935

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
45KB

MD5
0e3520e37aeb65e772e1637d0a8a7e1a

SHA1
4478414bb9dfc7c50924e517b969684e9193e2eb

SHA256
eb7953926a09574566464ec6cc6836c984c42c95911259ccba6d54ab37d1be5d

SHA512
0df5e474c4b6f6c60e0246654cfd656363ca3a2b4a3caa5d790c25bf009890b85ffca9b22edfba2a5d6fc8364ea925310fcfadaad6324fbb423c420dae060935

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
45KB

MD5
0e3520e37aeb65e772e1637d0a8a7e1a

SHA1
4478414bb9dfc7c50924e517b969684e9193e2eb

SHA256
eb7953926a09574566464ec6cc6836c984c42c95911259ccba6d54ab37d1be5d

SHA512
0df5e474c4b6f6c60e0246654cfd656363ca3a2b4a3caa5d790c25bf009890b85ffca9b22edfba2a5d6fc8364ea925310fcfadaad6324fbb423c420dae060935

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
45KB

MD5
0e3520e37aeb65e772e1637d0a8a7e1a

SHA1
4478414bb9dfc7c50924e517b969684e9193e2eb

SHA256
eb7953926a09574566464ec6cc6836c984c42c95911259ccba6d54ab37d1be5d

SHA512
0df5e474c4b6f6c60e0246654cfd656363ca3a2b4a3caa5d790c25bf009890b85ffca9b22edfba2a5d6fc8364ea925310fcfadaad6324fbb423c420dae060935

Download Submit
\Recycled\SVCHOST.EXE

Filesize
45KB

MD5
fd188d675fa583e0bc0c906b0722cd96

SHA1
4dadd65fcf850f56d83d7ee12ebb37745090840e

SHA256
1ca3ab2def7ab7222079e96c80963e0953cd6a16ac4179693fca6bdce562be28

SHA512
3a2576d6ce3810a879bebf203b7ba708091f248e7cc0e2f74bc5e9fdf4465d1842d9ec73bf959340ac1bd2390c9012c776f63a5a90adb8eb7179a06ab9283361

Download Submit
\Recycled\SVCHOST.EXE

Filesize
45KB

MD5
fd188d675fa583e0bc0c906b0722cd96

SHA1
4dadd65fcf850f56d83d7ee12ebb37745090840e

SHA256
1ca3ab2def7ab7222079e96c80963e0953cd6a16ac4179693fca6bdce562be28

SHA512
3a2576d6ce3810a879bebf203b7ba708091f248e7cc0e2f74bc5e9fdf4465d1842d9ec73bf959340ac1bd2390c9012c776f63a5a90adb8eb7179a06ab9283361

Download Submit
\Recycled\SVCHOST.EXE

Filesize
45KB

MD5
fd188d675fa583e0bc0c906b0722cd96

SHA1
4dadd65fcf850f56d83d7ee12ebb37745090840e

SHA256
1ca3ab2def7ab7222079e96c80963e0953cd6a16ac4179693fca6bdce562be28

SHA512
3a2576d6ce3810a879bebf203b7ba708091f248e7cc0e2f74bc5e9fdf4465d1842d9ec73bf959340ac1bd2390c9012c776f63a5a90adb8eb7179a06ab9283361

Download Submit
\Recycled\SVCHOST.EXE

Filesize
45KB

MD5
fd188d675fa583e0bc0c906b0722cd96

SHA1
4dadd65fcf850f56d83d7ee12ebb37745090840e

SHA256
1ca3ab2def7ab7222079e96c80963e0953cd6a16ac4179693fca6bdce562be28

SHA512
3a2576d6ce3810a879bebf203b7ba708091f248e7cc0e2f74bc5e9fdf4465d1842d9ec73bf959340ac1bd2390c9012c776f63a5a90adb8eb7179a06ab9283361

Download Submit
memory/552-93-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/584-131-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/584-130-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/864-152-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/864-124-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/864-56-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/864-151-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/864-154-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/864-126-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/864-125-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/956-128-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1076-127-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1076-163-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1100-129-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1100-164-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1132-150-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download
memory/1148-141-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1196-113-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1336-107-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1476-145-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1544-118-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1600-86-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1916-148-0x00000000745B1000-0x00000000745B3000-memory.dmp

Filesize
8KB

Download
memory/2032-70-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2036-155-0x0000000072E41000-0x0000000072E44000-memory.dmp

Filesize
12KB

Download
memory/2036-156-0x00000000708C1000-0x00000000708C3000-memory.dmp

Filesize
8KB

Download
memory/2036-157-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2036-159-0x00000000718AD000-0x00000000718B8000-memory.dmp

Filesize
44KB

Download
memory/2036-160-0x00000000718AD000-0x00000000718B8000-memory.dmp

Filesize
44KB

Download