bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
Size

42KB
MD5

a4ffa86f2f2bd79d6620f3762f3717dc
SHA1

c91221cd293a2e13b592150006e4c395c8439333
SHA256

bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc
SHA512

632d5c3398da059336d51f83c5335a26858eee255f5d29067ec5f86f3ef345f1ed467cdf6e09c98b474f199122e1046765df606f8b0cbe0ede77290bff41eaa4
SSDEEP

768:gyz0/XBwayCUOwV3TNZHdrPeqzEWvpbPwSMX6+w6pqZxLdeVgol9D8888888888x:hzOCay4wV339rPjzbpLwRJ9pSdoIE

Score

10^/10

aspackv2 evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

CTFMON.EXESPOOLSV.EXESVCHOST.EXEbac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	CTFMON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	CTFMON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

SVCHOST.EXEbac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exeCTFMON.EXESPOOLSV.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	CTFMON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SPOOLSV.EXE

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

CTFMON.EXESPOOLSV.EXESVCHOST.EXEbac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	CTFMON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe

ASPack v2.12-2.42 34 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Recycled\SVCHOST.EXE	aspack_v212_v242
\Recycled\SVCHOST.EXE	aspack_v212_v242
C:\Recycled\SVCHOST.EXE	aspack_v212_v242
C:\Recycled\SVCHOST.EXE	aspack_v212_v242
C:\Windows\Fonts\ Explorer.exe	aspack_v212_v242
C:\recycled\SVCHOST.exe	aspack_v212_v242
\Recycled\SPOOLSV.EXE	aspack_v212_v242
C:\recycled\SPOOLSV.EXE	aspack_v212_v242
\Recycled\SPOOLSV.EXE	aspack_v212_v242
C:\Recycled\SPOOLSV.EXE	aspack_v212_v242
C:\Windows\Fonts\ Explorer.exe	aspack_v212_v242
\Recycled\SVCHOST.EXE	aspack_v212_v242
C:\Recycled\SVCHOST.EXE	aspack_v212_v242
\Recycled\SPOOLSV.EXE	aspack_v212_v242
C:\Recycled\SPOOLSV.EXE	aspack_v212_v242
C:\recycled\CTFMON.EXE	aspack_v212_v242
\Recycled\CTFMON.EXE	aspack_v212_v242
\Recycled\CTFMON.EXE	aspack_v212_v242
C:\Recycled\CTFMON.EXE	aspack_v212_v242
\Recycled\SVCHOST.EXE	aspack_v212_v242
C:\Recycled\SVCHOST.EXE	aspack_v212_v242
C:\Windows\Fonts\ Explorer.exe	aspack_v212_v242
\Recycled\SPOOLSV.EXE	aspack_v212_v242
\Recycled\SPOOLSV.EXE	aspack_v212_v242
C:\Recycled\SPOOLSV.EXE	aspack_v212_v242
C:\Recycled\CTFMON.EXE	aspack_v212_v242
\Recycled\CTFMON.EXE	aspack_v212_v242
C:\Recycled\CTFMON.EXE	aspack_v212_v242
\Recycled\SPOOLSV.EXE	aspack_v212_v242
\Recycled\SPOOLSV.EXE	aspack_v212_v242
C:\Recycled\SPOOLSV.EXE	aspack_v212_v242
\Recycled\CTFMON.EXE	aspack_v212_v242
C:\Recycled\CTFMON.EXE	aspack_v212_v242
behavioral1/memory/944-148-0x0000000001D40000-0x0000000001D5A000-memory.dmp	aspack_v212_v242

Executes dropped EXE 12 IoCs

Processes:

SVCHOST.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXECTFMON.EXESPOOLSV.EXECTFMON.EXE

pid	process
944	SVCHOST.EXE
2040	SVCHOST.EXE
2000	SPOOLSV.EXE
1692	SVCHOST.EXE
1716	SPOOLSV.EXE
776	CTFMON.EXE
1652	SVCHOST.EXE
1204	SPOOLSV.EXE
584	CTFMON.EXE
1104	CTFMON.EXE
1140	SPOOLSV.EXE
1940	CTFMON.EXE

Loads dropped DLL 15 IoCs

Processes:

bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exeSVCHOST.EXESPOOLSV.EXECTFMON.EXE

pid	process
1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
944	SVCHOST.EXE
944	SVCHOST.EXE
2000	SPOOLSV.EXE
2000	SPOOLSV.EXE
2000	SPOOLSV.EXE
2000	SPOOLSV.EXE
776	CTFMON.EXE
776	CTFMON.EXE
776	CTFMON.EXE
944	SVCHOST.EXE
1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe

description ioc process

File opened for modification C:\Recycled\desktop.ini bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe

description	ioc	process
File opened for modification	C:\Recycled\desktop.ini	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SVCHOST.EXECTFMON.EXEbac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exeSPOOLSV.EXE

description	ioc	process
File opened (read-only)	\??\N:	SVCHOST.EXE
File opened (read-only)	\??\E:	CTFMON.EXE
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\X:	SVCHOST.EXE
File opened (read-only)	\??\K:	CTFMON.EXE
File opened (read-only)	\??\N:	CTFMON.EXE
File opened (read-only)	\??\G:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\P:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\H:	SVCHOST.EXE
File opened (read-only)	\??\X:	SPOOLSV.EXE
File opened (read-only)	\??\V:	CTFMON.EXE
File opened (read-only)	\??\W:	CTFMON.EXE
File opened (read-only)	\??\R:	SVCHOST.EXE
File opened (read-only)	\??\W:	SPOOLSV.EXE
File opened (read-only)	\??\Q:	CTFMON.EXE
File opened (read-only)	\??\R:	CTFMON.EXE
File opened (read-only)	\??\H:	CTFMON.EXE
File opened (read-only)	\??\L:	CTFMON.EXE
File opened (read-only)	\??\M:	CTFMON.EXE
File opened (read-only)	\??\Y:	CTFMON.EXE
File opened (read-only)	\??\E:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\Q:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\I:	SVCHOST.EXE
File opened (read-only)	\??\O:	SVCHOST.EXE
File opened (read-only)	\??\V:	SVCHOST.EXE
File opened (read-only)	\??\P:	SPOOLSV.EXE
File opened (read-only)	\??\S:	CTFMON.EXE
File opened (read-only)	\??\H:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\M:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\O:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\M:	SVCHOST.EXE
File opened (read-only)	\??\K:	SPOOLSV.EXE
File opened (read-only)	\??\N:	SPOOLSV.EXE
File opened (read-only)	\??\I:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\L:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\T:	SVCHOST.EXE
File opened (read-only)	\??\W:	SVCHOST.EXE
File opened (read-only)	\??\U:	CTFMON.EXE
File opened (read-only)	\??\T:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\Z:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\G:	SPOOLSV.EXE
File opened (read-only)	\??\V:	SPOOLSV.EXE
File opened (read-only)	\??\U:	SPOOLSV.EXE
File opened (read-only)	\??\P:	CTFMON.EXE
File opened (read-only)	\??\W:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\Y:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\M:	SPOOLSV.EXE
File opened (read-only)	\??\R:	SPOOLSV.EXE
File opened (read-only)	\??\Q:	SPOOLSV.EXE
File opened (read-only)	\??\Z:	SPOOLSV.EXE
File opened (read-only)	\??\E:	SVCHOST.EXE
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\K:	SVCHOST.EXE
File opened (read-only)	\??\S:	SVCHOST.EXE
File opened (read-only)	\??\F:	SPOOLSV.EXE
File opened (read-only)	\??\I:	SPOOLSV.EXE
File opened (read-only)	\??\S:	SPOOLSV.EXE
File opened (read-only)	\??\R:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\F:	SVCHOST.EXE
File opened (read-only)	\??\J:	SVCHOST.EXE
File opened (read-only)	\??\U:	SVCHOST.EXE
File opened (read-only)	\??\J:	CTFMON.EXE
File opened (read-only)	\??\U:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\Y:	SVCHOST.EXE

Drops file in Windows directory 6 IoCs

Processes:

bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exeSVCHOST.EXESPOOLSV.EXECTFMON.EXEWINWORD.EXE

description	ioc	process
File opened for modification	C:\Windows\Fonts\ Explorer.exe	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened for modification	C:\Windows\Fonts\ Explorer.exe	SVCHOST.EXE
File opened for modification	C:\Windows\Fonts\ Explorer.exe	SPOOLSV.EXE
File opened for modification	C:\Windows\Fonts\ Explorer.exe	CTFMON.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXEbac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exeSVCHOST.EXECTFMON.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SVCHOST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	CTFMON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	CTFMON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	CTFMON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	CTFMON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1004 WINWORD.EXE

pid	process
1004	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SPOOLSV.EXESVCHOST.EXECTFMON.EXEbac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe

pid	process
2000	SPOOLSV.EXE
2000	SPOOLSV.EXE
2000	SPOOLSV.EXE
2000	SPOOLSV.EXE
2000	SPOOLSV.EXE
2000	SPOOLSV.EXE
2000	SPOOLSV.EXE
2000	SPOOLSV.EXE
944	SVCHOST.EXE
944	SVCHOST.EXE
944	SVCHOST.EXE
944	SVCHOST.EXE
944	SVCHOST.EXE
944	SVCHOST.EXE
944	SVCHOST.EXE
944	SVCHOST.EXE
776	CTFMON.EXE
776	CTFMON.EXE
776	CTFMON.EXE
776	CTFMON.EXE
776	CTFMON.EXE
776	CTFMON.EXE
776	CTFMON.EXE
776	CTFMON.EXE
1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
776	CTFMON.EXE
776	CTFMON.EXE
944	SVCHOST.EXE
944	SVCHOST.EXE
2000	SPOOLSV.EXE
2000	SPOOLSV.EXE
1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
944	SVCHOST.EXE
944	SVCHOST.EXE
2000	SPOOLSV.EXE
2000	SPOOLSV.EXE
1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
944	SVCHOST.EXE
944	SVCHOST.EXE
2000	SPOOLSV.EXE
2000	SPOOLSV.EXE
944	SVCHOST.EXE
944	SVCHOST.EXE
776	CTFMON.EXE
2000	SPOOLSV.EXE
2000	SPOOLSV.EXE
776	CTFMON.EXE
1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
776	CTFMON.EXE
776	CTFMON.EXE
776	CTFMON.EXE
776	CTFMON.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exeSVCHOST.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXECTFMON.EXESPOOLSV.EXECTFMON.EXEWINWORD.EXE

pid	process
1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
944	SVCHOST.EXE
2040	SVCHOST.EXE
2000	SPOOLSV.EXE
1692	SVCHOST.EXE
1716	SPOOLSV.EXE
776	CTFMON.EXE
1652	SVCHOST.EXE
1204	SPOOLSV.EXE
584	CTFMON.EXE
1104	CTFMON.EXE
1140	SPOOLSV.EXE
1940	CTFMON.EXE
1004	WINWORD.EXE
1004	WINWORD.EXE

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exeSVCHOST.EXESPOOLSV.EXECTFMON.EXE

description	pid	process	target process
PID 1664 wrote to memory of 944	1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	SVCHOST.EXE
PID 1664 wrote to memory of 944	1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	SVCHOST.EXE
PID 1664 wrote to memory of 944	1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	SVCHOST.EXE
PID 1664 wrote to memory of 944	1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	SVCHOST.EXE
PID 944 wrote to memory of 2040	944	SVCHOST.EXE	SVCHOST.EXE
PID 944 wrote to memory of 2040	944	SVCHOST.EXE	SVCHOST.EXE
PID 944 wrote to memory of 2040	944	SVCHOST.EXE	SVCHOST.EXE
PID 944 wrote to memory of 2040	944	SVCHOST.EXE	SVCHOST.EXE
PID 944 wrote to memory of 2000	944	SVCHOST.EXE	SPOOLSV.EXE
PID 944 wrote to memory of 2000	944	SVCHOST.EXE	SPOOLSV.EXE
PID 944 wrote to memory of 2000	944	SVCHOST.EXE	SPOOLSV.EXE
PID 944 wrote to memory of 2000	944	SVCHOST.EXE	SPOOLSV.EXE
PID 2000 wrote to memory of 1692	2000	SPOOLSV.EXE	SVCHOST.EXE
PID 2000 wrote to memory of 1692	2000	SPOOLSV.EXE	SVCHOST.EXE
PID 2000 wrote to memory of 1692	2000	SPOOLSV.EXE	SVCHOST.EXE
PID 2000 wrote to memory of 1692	2000	SPOOLSV.EXE	SVCHOST.EXE
PID 2000 wrote to memory of 1716	2000	SPOOLSV.EXE	SPOOLSV.EXE
PID 2000 wrote to memory of 1716	2000	SPOOLSV.EXE	SPOOLSV.EXE
PID 2000 wrote to memory of 1716	2000	SPOOLSV.EXE	SPOOLSV.EXE
PID 2000 wrote to memory of 1716	2000	SPOOLSV.EXE	SPOOLSV.EXE
PID 2000 wrote to memory of 776	2000	SPOOLSV.EXE	CTFMON.EXE
PID 2000 wrote to memory of 776	2000	SPOOLSV.EXE	CTFMON.EXE
PID 2000 wrote to memory of 776	2000	SPOOLSV.EXE	CTFMON.EXE
PID 2000 wrote to memory of 776	2000	SPOOLSV.EXE	CTFMON.EXE
PID 776 wrote to memory of 1652	776	CTFMON.EXE	SVCHOST.EXE
PID 776 wrote to memory of 1652	776	CTFMON.EXE	SVCHOST.EXE
PID 776 wrote to memory of 1652	776	CTFMON.EXE	SVCHOST.EXE
PID 776 wrote to memory of 1652	776	CTFMON.EXE	SVCHOST.EXE
PID 776 wrote to memory of 1204	776	CTFMON.EXE	SPOOLSV.EXE
PID 776 wrote to memory of 1204	776	CTFMON.EXE	SPOOLSV.EXE
PID 776 wrote to memory of 1204	776	CTFMON.EXE	SPOOLSV.EXE
PID 776 wrote to memory of 1204	776	CTFMON.EXE	SPOOLSV.EXE
PID 776 wrote to memory of 584	776	CTFMON.EXE	CTFMON.EXE
PID 776 wrote to memory of 584	776	CTFMON.EXE	CTFMON.EXE
PID 776 wrote to memory of 584	776	CTFMON.EXE	CTFMON.EXE
PID 776 wrote to memory of 584	776	CTFMON.EXE	CTFMON.EXE
PID 944 wrote to memory of 1104	944	SVCHOST.EXE	CTFMON.EXE
PID 944 wrote to memory of 1104	944	SVCHOST.EXE	CTFMON.EXE
PID 944 wrote to memory of 1104	944	SVCHOST.EXE	CTFMON.EXE
PID 944 wrote to memory of 1104	944	SVCHOST.EXE	CTFMON.EXE
PID 1664 wrote to memory of 1140	1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	SPOOLSV.EXE
PID 1664 wrote to memory of 1140	1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	SPOOLSV.EXE
PID 1664 wrote to memory of 1140	1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	SPOOLSV.EXE
PID 1664 wrote to memory of 1140	1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	SPOOLSV.EXE
PID 1664 wrote to memory of 1940	1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	CTFMON.EXE
PID 1664 wrote to memory of 1940	1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	CTFMON.EXE
PID 1664 wrote to memory of 1940	1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	CTFMON.EXE
PID 1664 wrote to memory of 1940	1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	CTFMON.EXE
PID 1664 wrote to memory of 1004	1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	WINWORD.EXE
PID 1664 wrote to memory of 1004	1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	WINWORD.EXE
PID 1664 wrote to memory of 1004	1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	WINWORD.EXE
PID 1664 wrote to memory of 1004	1664	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
"C:\Users\Admin\AppData\Local\Temp\bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664

C:\recycled\SVCHOST.EXE
C:\recycled\SVCHOST.EXE :agent
2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:944

C:\recycled\SVCHOST.EXE
C:\recycled\SVCHOST.EXE :agent
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2040

C:\recycled\SPOOLSV.EXE
C:\recycled\SPOOLSV.EXE :agent
3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000

C:\recycled\SVCHOST.EXE
C:\recycled\SVCHOST.EXE :agent
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1692

C:\recycled\SPOOLSV.EXE
C:\recycled\SPOOLSV.EXE :agent
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1716

C:\recycled\CTFMON.EXE
C:\recycled\CTFMON.EXE :agent
4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:776

C:\recycled\SVCHOST.EXE
C:\recycled\SVCHOST.EXE :agent
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1652

C:\recycled\SPOOLSV.EXE
C:\recycled\SPOOLSV.EXE :agent
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1204

C:\recycled\CTFMON.EXE
C:\recycled\CTFMON.EXE :agent
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:584

C:\recycled\CTFMON.EXE
C:\recycled\CTFMON.EXE :agent
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1104

C:\recycled\SPOOLSV.EXE
C:\recycled\SPOOLSV.EXE :agent
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1140

C:\recycled\CTFMON.EXE
C:\recycled\CTFMON.EXE :agent
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1940

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.doc"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1004

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recycled\CTFMON.EXE
Filesize
42KB

MD5
47df2d3fc9e9686363eab759ad1d2e67

SHA1
e227787b3c651332708700ca0c0745fd4e3e4da2

SHA256
2f6817a7e6317c9a08c02c415c39e46c3be31d923178438b139dd72437273c46

SHA512
af688a1878d960e2c3c9b9b3909e3ea57083b2e2f0829cb20ed342c8484f8e39ca06b38633055a67fde2ae3a1b571da5251e5e0a1fa766d6e571d65a0c89bc59

Download Submit
C:\Recycled\CTFMON.EXE
Filesize
42KB

MD5
47df2d3fc9e9686363eab759ad1d2e67

SHA1
e227787b3c651332708700ca0c0745fd4e3e4da2

SHA256
2f6817a7e6317c9a08c02c415c39e46c3be31d923178438b139dd72437273c46

SHA512
af688a1878d960e2c3c9b9b3909e3ea57083b2e2f0829cb20ed342c8484f8e39ca06b38633055a67fde2ae3a1b571da5251e5e0a1fa766d6e571d65a0c89bc59

Download Submit
C:\Recycled\CTFMON.EXE
Filesize
42KB

MD5
47df2d3fc9e9686363eab759ad1d2e67

SHA1
e227787b3c651332708700ca0c0745fd4e3e4da2

SHA256
2f6817a7e6317c9a08c02c415c39e46c3be31d923178438b139dd72437273c46

SHA512
af688a1878d960e2c3c9b9b3909e3ea57083b2e2f0829cb20ed342c8484f8e39ca06b38633055a67fde2ae3a1b571da5251e5e0a1fa766d6e571d65a0c89bc59

Download Submit
C:\Recycled\CTFMON.EXE
Filesize
42KB

MD5
47df2d3fc9e9686363eab759ad1d2e67

SHA1
e227787b3c651332708700ca0c0745fd4e3e4da2

SHA256
2f6817a7e6317c9a08c02c415c39e46c3be31d923178438b139dd72437273c46

SHA512
af688a1878d960e2c3c9b9b3909e3ea57083b2e2f0829cb20ed342c8484f8e39ca06b38633055a67fde2ae3a1b571da5251e5e0a1fa766d6e571d65a0c89bc59

Download Submit
C:\Recycled\SPOOLSV.EXE
Filesize
42KB

MD5
e0fbfa11e574b987fb744dfb4bfbf2f8

SHA1
fd2064fde24f057c0be3ef45f22979b78f9a57cb

SHA256
c7f01822e5878fca0e0b9eaf0428a88b6791004abe780a2e954ecbf682ac3ce7

SHA512
7ad9f8b241f29e41f710bb6dea84f29f568d3aa5b79eba6c3aeba6eb549d0bbf37c33c508de3c7fba794f2802454e64b1e5d486cd768e0ca78817fc23f675208

Download Submit
C:\Recycled\SPOOLSV.EXE
Filesize
42KB

MD5
e0fbfa11e574b987fb744dfb4bfbf2f8

SHA1
fd2064fde24f057c0be3ef45f22979b78f9a57cb

SHA256
c7f01822e5878fca0e0b9eaf0428a88b6791004abe780a2e954ecbf682ac3ce7

SHA512
7ad9f8b241f29e41f710bb6dea84f29f568d3aa5b79eba6c3aeba6eb549d0bbf37c33c508de3c7fba794f2802454e64b1e5d486cd768e0ca78817fc23f675208

Download Submit
C:\Recycled\SPOOLSV.EXE
Filesize
42KB

MD5
e0fbfa11e574b987fb744dfb4bfbf2f8

SHA1
fd2064fde24f057c0be3ef45f22979b78f9a57cb

SHA256
c7f01822e5878fca0e0b9eaf0428a88b6791004abe780a2e954ecbf682ac3ce7

SHA512
7ad9f8b241f29e41f710bb6dea84f29f568d3aa5b79eba6c3aeba6eb549d0bbf37c33c508de3c7fba794f2802454e64b1e5d486cd768e0ca78817fc23f675208

Download Submit
C:\Recycled\SPOOLSV.EXE
Filesize
42KB

MD5
e0fbfa11e574b987fb744dfb4bfbf2f8

SHA1
fd2064fde24f057c0be3ef45f22979b78f9a57cb

SHA256
c7f01822e5878fca0e0b9eaf0428a88b6791004abe780a2e954ecbf682ac3ce7

SHA512
7ad9f8b241f29e41f710bb6dea84f29f568d3aa5b79eba6c3aeba6eb549d0bbf37c33c508de3c7fba794f2802454e64b1e5d486cd768e0ca78817fc23f675208

Download Submit
C:\Recycled\SVCHOST.EXE
Filesize
42KB

MD5
05cd6d4df6667e481e4dc7f0f7a7d45d

SHA1
94692122e37ba21bd78659e5ed50748a5577c3e7

SHA256
e20e2361507134f772fee97d25db1d791c10c7408fb475cb74b007448fa4a069

SHA512
216db3f0316d2cabf1c600cae704301c9501bffed1a4868c0c8b089ea9fedf4b4a5fcd875e0299ab83bc504907252cf9d9973320ba5394d19c13517bee772093

Download Submit
C:\Recycled\SVCHOST.EXE
Filesize
42KB

MD5
05cd6d4df6667e481e4dc7f0f7a7d45d

SHA1
94692122e37ba21bd78659e5ed50748a5577c3e7

SHA256
e20e2361507134f772fee97d25db1d791c10c7408fb475cb74b007448fa4a069

SHA512
216db3f0316d2cabf1c600cae704301c9501bffed1a4868c0c8b089ea9fedf4b4a5fcd875e0299ab83bc504907252cf9d9973320ba5394d19c13517bee772093

Download Submit
C:\Recycled\SVCHOST.EXE
Filesize
42KB

MD5
05cd6d4df6667e481e4dc7f0f7a7d45d

SHA1
94692122e37ba21bd78659e5ed50748a5577c3e7

SHA256
e20e2361507134f772fee97d25db1d791c10c7408fb475cb74b007448fa4a069

SHA512
216db3f0316d2cabf1c600cae704301c9501bffed1a4868c0c8b089ea9fedf4b4a5fcd875e0299ab83bc504907252cf9d9973320ba5394d19c13517bee772093

Download Submit
C:\Recycled\SVCHOST.EXE
Filesize
42KB

MD5
05cd6d4df6667e481e4dc7f0f7a7d45d

SHA1
94692122e37ba21bd78659e5ed50748a5577c3e7

SHA256
e20e2361507134f772fee97d25db1d791c10c7408fb475cb74b007448fa4a069

SHA512
216db3f0316d2cabf1c600cae704301c9501bffed1a4868c0c8b089ea9fedf4b4a5fcd875e0299ab83bc504907252cf9d9973320ba5394d19c13517bee772093

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
Filesize
2KB

MD5
1a1dce35d60d2c70ca8894954fd5d384

SHA1
58547dd65d506c892290755010d0232da34ee000

SHA256
2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

SHA512
4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
Filesize
2KB

MD5
1a1dce35d60d2c70ca8894954fd5d384

SHA1
58547dd65d506c892290755010d0232da34ee000

SHA256
2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

SHA512
4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
Filesize
2KB

MD5
1a1dce35d60d2c70ca8894954fd5d384

SHA1
58547dd65d506c892290755010d0232da34ee000

SHA256
2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

SHA512
4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

Download Submit
C:\Windows\Fonts\ Explorer.exe
Filesize
42KB

MD5
f83ce8362919df4a34fa6440e756096b

SHA1
cbb467378a11935da0effcfdadeabd48bc5f9164

SHA256
2b01debe834f9051e11e938ff56c2b859c3cf81e86cb7caf991dc66886828ad4

SHA512
fb21945390dafd42b9ab14c7f3e4f640837006d570e36d453b1d0372199a893f890bb6c0c388af07c558705200db137488e42128a0bccb4ea8b6393ecd6b2012

Download Submit
C:\Windows\Fonts\ Explorer.exe
Filesize
42KB

MD5
6f77afc127e907fa28842e7ec902a876

SHA1
07646d89d1cd2738d37e306b13ecd0a3c9699998

SHA256
948069fcf122ce03d98b1633ac2d56ff082d25c62187b81f4166c38091a74668

SHA512
081880131c0b14c0f9cc9bd4e76507c452443f4d22ff045c1740f5ddeb29cf09fdae0a1d0debea97fca6d2861fa2953a04155dc532e00b9c177714bd5ba7f0bd

Download Submit
C:\Windows\Fonts\ Explorer.exe
Filesize
42KB

MD5
f83ce8362919df4a34fa6440e756096b

SHA1
cbb467378a11935da0effcfdadeabd48bc5f9164

SHA256
2b01debe834f9051e11e938ff56c2b859c3cf81e86cb7caf991dc66886828ad4

SHA512
fb21945390dafd42b9ab14c7f3e4f640837006d570e36d453b1d0372199a893f890bb6c0c388af07c558705200db137488e42128a0bccb4ea8b6393ecd6b2012

Download Submit
C:\recycled\CTFMON.EXE
Filesize
42KB

MD5
47df2d3fc9e9686363eab759ad1d2e67

SHA1
e227787b3c651332708700ca0c0745fd4e3e4da2

SHA256
2f6817a7e6317c9a08c02c415c39e46c3be31d923178438b139dd72437273c46

SHA512
af688a1878d960e2c3c9b9b3909e3ea57083b2e2f0829cb20ed342c8484f8e39ca06b38633055a67fde2ae3a1b571da5251e5e0a1fa766d6e571d65a0c89bc59

Download Submit
C:\recycled\SPOOLSV.EXE
Filesize
42KB

MD5
e0fbfa11e574b987fb744dfb4bfbf2f8

SHA1
fd2064fde24f057c0be3ef45f22979b78f9a57cb

SHA256
c7f01822e5878fca0e0b9eaf0428a88b6791004abe780a2e954ecbf682ac3ce7

SHA512
7ad9f8b241f29e41f710bb6dea84f29f568d3aa5b79eba6c3aeba6eb549d0bbf37c33c508de3c7fba794f2802454e64b1e5d486cd768e0ca78817fc23f675208

Download Submit
C:\recycled\SVCHOST.exe
Filesize
42KB

MD5
05cd6d4df6667e481e4dc7f0f7a7d45d

SHA1
94692122e37ba21bd78659e5ed50748a5577c3e7

SHA256
e20e2361507134f772fee97d25db1d791c10c7408fb475cb74b007448fa4a069

SHA512
216db3f0316d2cabf1c600cae704301c9501bffed1a4868c0c8b089ea9fedf4b4a5fcd875e0299ab83bc504907252cf9d9973320ba5394d19c13517bee772093

Download Submit
\Recycled\CTFMON.EXE
Filesize
42KB

MD5
47df2d3fc9e9686363eab759ad1d2e67

SHA1
e227787b3c651332708700ca0c0745fd4e3e4da2

SHA256
2f6817a7e6317c9a08c02c415c39e46c3be31d923178438b139dd72437273c46

SHA512
af688a1878d960e2c3c9b9b3909e3ea57083b2e2f0829cb20ed342c8484f8e39ca06b38633055a67fde2ae3a1b571da5251e5e0a1fa766d6e571d65a0c89bc59

Download Submit
\Recycled\CTFMON.EXE
Filesize
42KB

MD5
47df2d3fc9e9686363eab759ad1d2e67

SHA1
e227787b3c651332708700ca0c0745fd4e3e4da2

SHA256
2f6817a7e6317c9a08c02c415c39e46c3be31d923178438b139dd72437273c46

SHA512
af688a1878d960e2c3c9b9b3909e3ea57083b2e2f0829cb20ed342c8484f8e39ca06b38633055a67fde2ae3a1b571da5251e5e0a1fa766d6e571d65a0c89bc59

Download Submit
\Recycled\CTFMON.EXE
Filesize
42KB

MD5
47df2d3fc9e9686363eab759ad1d2e67

SHA1
e227787b3c651332708700ca0c0745fd4e3e4da2

SHA256
2f6817a7e6317c9a08c02c415c39e46c3be31d923178438b139dd72437273c46

SHA512
af688a1878d960e2c3c9b9b3909e3ea57083b2e2f0829cb20ed342c8484f8e39ca06b38633055a67fde2ae3a1b571da5251e5e0a1fa766d6e571d65a0c89bc59

Download Submit
\Recycled\CTFMON.EXE
Filesize
42KB

MD5
47df2d3fc9e9686363eab759ad1d2e67

SHA1
e227787b3c651332708700ca0c0745fd4e3e4da2

SHA256
2f6817a7e6317c9a08c02c415c39e46c3be31d923178438b139dd72437273c46

SHA512
af688a1878d960e2c3c9b9b3909e3ea57083b2e2f0829cb20ed342c8484f8e39ca06b38633055a67fde2ae3a1b571da5251e5e0a1fa766d6e571d65a0c89bc59

Download Submit
\Recycled\SPOOLSV.EXE
Filesize
42KB

MD5
e0fbfa11e574b987fb744dfb4bfbf2f8

SHA1
fd2064fde24f057c0be3ef45f22979b78f9a57cb

SHA256
c7f01822e5878fca0e0b9eaf0428a88b6791004abe780a2e954ecbf682ac3ce7

SHA512
7ad9f8b241f29e41f710bb6dea84f29f568d3aa5b79eba6c3aeba6eb549d0bbf37c33c508de3c7fba794f2802454e64b1e5d486cd768e0ca78817fc23f675208

Download Submit
\Recycled\SPOOLSV.EXE
Filesize
42KB

MD5
e0fbfa11e574b987fb744dfb4bfbf2f8

SHA1
fd2064fde24f057c0be3ef45f22979b78f9a57cb

SHA256
c7f01822e5878fca0e0b9eaf0428a88b6791004abe780a2e954ecbf682ac3ce7

SHA512
7ad9f8b241f29e41f710bb6dea84f29f568d3aa5b79eba6c3aeba6eb549d0bbf37c33c508de3c7fba794f2802454e64b1e5d486cd768e0ca78817fc23f675208

Download Submit
\Recycled\SPOOLSV.EXE
Filesize
42KB

MD5
e0fbfa11e574b987fb744dfb4bfbf2f8

SHA1
fd2064fde24f057c0be3ef45f22979b78f9a57cb

SHA256
c7f01822e5878fca0e0b9eaf0428a88b6791004abe780a2e954ecbf682ac3ce7

SHA512
7ad9f8b241f29e41f710bb6dea84f29f568d3aa5b79eba6c3aeba6eb549d0bbf37c33c508de3c7fba794f2802454e64b1e5d486cd768e0ca78817fc23f675208

Download Submit
\Recycled\SPOOLSV.EXE
Filesize
42KB

MD5
e0fbfa11e574b987fb744dfb4bfbf2f8

SHA1
fd2064fde24f057c0be3ef45f22979b78f9a57cb

SHA256
c7f01822e5878fca0e0b9eaf0428a88b6791004abe780a2e954ecbf682ac3ce7

SHA512
7ad9f8b241f29e41f710bb6dea84f29f568d3aa5b79eba6c3aeba6eb549d0bbf37c33c508de3c7fba794f2802454e64b1e5d486cd768e0ca78817fc23f675208

Download Submit
\Recycled\SPOOLSV.EXE
Filesize
42KB

MD5
e0fbfa11e574b987fb744dfb4bfbf2f8

SHA1
fd2064fde24f057c0be3ef45f22979b78f9a57cb

SHA256
c7f01822e5878fca0e0b9eaf0428a88b6791004abe780a2e954ecbf682ac3ce7

SHA512
7ad9f8b241f29e41f710bb6dea84f29f568d3aa5b79eba6c3aeba6eb549d0bbf37c33c508de3c7fba794f2802454e64b1e5d486cd768e0ca78817fc23f675208

Download Submit
\Recycled\SPOOLSV.EXE
Filesize
42KB

MD5
e0fbfa11e574b987fb744dfb4bfbf2f8

SHA1
fd2064fde24f057c0be3ef45f22979b78f9a57cb

SHA256
c7f01822e5878fca0e0b9eaf0428a88b6791004abe780a2e954ecbf682ac3ce7

SHA512
7ad9f8b241f29e41f710bb6dea84f29f568d3aa5b79eba6c3aeba6eb549d0bbf37c33c508de3c7fba794f2802454e64b1e5d486cd768e0ca78817fc23f675208

Download Submit
\Recycled\SPOOLSV.EXE
Filesize
42KB

MD5
e0fbfa11e574b987fb744dfb4bfbf2f8

SHA1
fd2064fde24f057c0be3ef45f22979b78f9a57cb

SHA256
c7f01822e5878fca0e0b9eaf0428a88b6791004abe780a2e954ecbf682ac3ce7

SHA512
7ad9f8b241f29e41f710bb6dea84f29f568d3aa5b79eba6c3aeba6eb549d0bbf37c33c508de3c7fba794f2802454e64b1e5d486cd768e0ca78817fc23f675208

Download Submit
\Recycled\SVCHOST.EXE
Filesize
42KB

MD5
05cd6d4df6667e481e4dc7f0f7a7d45d

SHA1
94692122e37ba21bd78659e5ed50748a5577c3e7

SHA256
e20e2361507134f772fee97d25db1d791c10c7408fb475cb74b007448fa4a069

SHA512
216db3f0316d2cabf1c600cae704301c9501bffed1a4868c0c8b089ea9fedf4b4a5fcd875e0299ab83bc504907252cf9d9973320ba5394d19c13517bee772093

Download Submit
\Recycled\SVCHOST.EXE
Filesize
42KB

MD5
05cd6d4df6667e481e4dc7f0f7a7d45d

SHA1
94692122e37ba21bd78659e5ed50748a5577c3e7

SHA256
e20e2361507134f772fee97d25db1d791c10c7408fb475cb74b007448fa4a069

SHA512
216db3f0316d2cabf1c600cae704301c9501bffed1a4868c0c8b089ea9fedf4b4a5fcd875e0299ab83bc504907252cf9d9973320ba5394d19c13517bee772093

Download Submit
\Recycled\SVCHOST.EXE
Filesize
42KB

MD5
05cd6d4df6667e481e4dc7f0f7a7d45d

SHA1
94692122e37ba21bd78659e5ed50748a5577c3e7

SHA256
e20e2361507134f772fee97d25db1d791c10c7408fb475cb74b007448fa4a069

SHA512
216db3f0316d2cabf1c600cae704301c9501bffed1a4868c0c8b089ea9fedf4b4a5fcd875e0299ab83bc504907252cf9d9973320ba5394d19c13517bee772093

Download Submit
\Recycled\SVCHOST.EXE
Filesize
42KB

MD5
05cd6d4df6667e481e4dc7f0f7a7d45d

SHA1
94692122e37ba21bd78659e5ed50748a5577c3e7

SHA256
e20e2361507134f772fee97d25db1d791c10c7408fb475cb74b007448fa4a069

SHA512
216db3f0316d2cabf1c600cae704301c9501bffed1a4868c0c8b089ea9fedf4b4a5fcd875e0299ab83bc504907252cf9d9973320ba5394d19c13517bee772093

Download Submit
memory/584-127-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/584-122-0x0000000000000000-mapping.dmp

Download
memory/776-97-0x0000000000000000-mapping.dmp

Download
memory/776-160-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/776-147-0x00000000024D0000-0x00000000024EA000-memory.dmp

Filesize
104KB

Download
memory/776-118-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/944-112-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/944-59-0x0000000000000000-mapping.dmp

Download
memory/944-161-0x0000000001D40000-0x0000000001D5A000-memory.dmp

Filesize
104KB

Download
memory/944-159-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/944-148-0x0000000001D40000-0x0000000001D5A000-memory.dmp

Filesize
104KB

Download
memory/1004-157-0x000000007123D000-0x0000000071248000-memory.dmp

Filesize
44KB

Download
memory/1004-156-0x000000007123D000-0x0000000071248000-memory.dmp

Filesize
44KB

Download
memory/1004-154-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1004-153-0x0000000070251000-0x0000000070253000-memory.dmp

Filesize
8KB

Download
memory/1004-152-0x00000000727D1000-0x00000000727D4000-memory.dmp

Filesize
12KB

Download
memory/1004-150-0x0000000000000000-mapping.dmp

Download
memory/1104-129-0x0000000000000000-mapping.dmp

Download
memory/1104-133-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1140-136-0x0000000000000000-mapping.dmp

Download
memory/1140-141-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1204-123-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1204-117-0x0000000000000000-mapping.dmp

Download
memory/1652-114-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1652-105-0x0000000000000000-mapping.dmp

Download
memory/1664-111-0x0000000000680000-0x000000000069A000-memory.dmp

Filesize
104KB

Download
memory/1664-109-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1664-56-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/1664-149-0x0000000000680000-0x000000000069A000-memory.dmp

Filesize
104KB

Download
memory/1664-151-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1664-110-0x0000000000680000-0x000000000069A000-memory.dmp

Filesize
104KB

Download
memory/1692-83-0x0000000000000000-mapping.dmp

Download
memory/1692-88-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1716-89-0x0000000000000000-mapping.dmp

Download
memory/1716-93-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1940-142-0x0000000000000000-mapping.dmp

Download
memory/1940-146-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2000-75-0x0000000000000000-mapping.dmp

Download
memory/2000-158-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2000-113-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2040-71-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2040-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads