Analysis
-
max time kernel
151s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 06:53
Behavioral task
behavioral1
Sample
bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
Resource
win10v2004-20220812-en
General
-
Target
bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
-
Size
42KB
-
MD5
a4ffa86f2f2bd79d6620f3762f3717dc
-
SHA1
c91221cd293a2e13b592150006e4c395c8439333
-
SHA256
bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc
-
SHA512
632d5c3398da059336d51f83c5335a26858eee255f5d29067ec5f86f3ef345f1ed467cdf6e09c98b474f199122e1046765df606f8b0cbe0ede77290bff41eaa4
-
SSDEEP
768:gyz0/XBwayCUOwV3TNZHdrPeqzEWvpbPwSMX6+w6pqZxLdeVgol9D8888888888x:hzOCay4wV339rPjzbpLwRJ9pSdoIE
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
Processes:
CTFMON.EXESPOOLSV.EXESVCHOST.EXEbac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" CTFMON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" CTFMON.EXE -
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
Processes:
CTFMON.EXESPOOLSV.EXESVCHOST.EXEbac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" CTFMON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
Processes:
bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exeCTFMON.EXESPOOLSV.EXESVCHOST.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" CTFMON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE -
Processes:
resource yara_rule C:\Recycled\SVCHOST.EXE aspack_v212_v242 C:\recycled\SVCHOST.EXE aspack_v212_v242 C:\Recycled\SVCHOST.EXE aspack_v212_v242 C:\Windows\Fonts\ Explorer.exe aspack_v212_v242 C:\recycled\SPOOLSV.EXE aspack_v212_v242 C:\Recycled\SPOOLSV.EXE aspack_v212_v242 C:\Windows\Fonts\ Explorer.exe aspack_v212_v242 C:\Recycled\SVCHOST.EXE aspack_v212_v242 C:\Recycled\SPOOLSV.EXE aspack_v212_v242 C:\recycled\CTFMON.EXE aspack_v212_v242 C:\Recycled\CTFMON.EXE aspack_v212_v242 C:\Windows\Fonts\ Explorer.exe aspack_v212_v242 C:\Recycled\SVCHOST.EXE aspack_v212_v242 C:\Recycled\SPOOLSV.EXE aspack_v212_v242 C:\Recycled\CTFMON.EXE aspack_v212_v242 C:\Recycled\CTFMON.EXE aspack_v212_v242 C:\Recycled\SPOOLSV.EXE aspack_v212_v242 C:\Recycled\CTFMON.EXE aspack_v212_v242 C:\Recycled\SVCHOST.EXE aspack_v212_v242 C:\Recycled\SPOOLSV.EXE aspack_v212_v242 C:\Recycled\CTFMON.EXE aspack_v212_v242 -
Executes dropped EXE 15 IoCs
Processes:
SVCHOST.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXECTFMON.EXESPOOLSV.EXECTFMON.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXEpid process 2688 SVCHOST.EXE 4104 SVCHOST.EXE 2176 SPOOLSV.EXE 4676 SVCHOST.EXE 1040 SPOOLSV.EXE 3776 CTFMON.EXE 3520 SVCHOST.EXE 4940 SPOOLSV.EXE 5008 CTFMON.EXE 4768 CTFMON.EXE 864 SPOOLSV.EXE 4064 CTFMON.EXE 4724 SVCHOST.EXE 4748 SPOOLSV.EXE 1636 CTFMON.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exedescription ioc process File opened for modification C:\Recycled\desktop.ini bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
SVCHOST.EXESPOOLSV.EXECTFMON.EXEbac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exedescription ioc process File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\L: SPOOLSV.EXE File opened (read-only) \??\P: SPOOLSV.EXE File opened (read-only) \??\G: CTFMON.EXE File opened (read-only) \??\W: CTFMON.EXE File opened (read-only) \??\J: CTFMON.EXE File opened (read-only) \??\N: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\S: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\H: SPOOLSV.EXE File opened (read-only) \??\S: SPOOLSV.EXE File opened (read-only) \??\E: CTFMON.EXE File opened (read-only) \??\K: CTFMON.EXE File opened (read-only) \??\I: CTFMON.EXE File opened (read-only) \??\N: CTFMON.EXE File opened (read-only) \??\H: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\L: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\M: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\F: SPOOLSV.EXE File opened (read-only) \??\W: SPOOLSV.EXE File opened (read-only) \??\Y: CTFMON.EXE File opened (read-only) \??\P: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\Z: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\X: CTFMON.EXE File opened (read-only) \??\P: CTFMON.EXE File opened (read-only) \??\J: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\V: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\M: SPOOLSV.EXE File opened (read-only) \??\Z: SPOOLSV.EXE File opened (read-only) \??\W: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\G: SPOOLSV.EXE File opened (read-only) \??\O: SPOOLSV.EXE File opened (read-only) \??\M: CTFMON.EXE File opened (read-only) \??\Q: CTFMON.EXE File opened (read-only) \??\V: CTFMON.EXE File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\S: SVCHOST.EXE File opened (read-only) \??\I: SPOOLSV.EXE File opened (read-only) \??\J: SPOOLSV.EXE File opened (read-only) \??\E: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\Y: SPOOLSV.EXE File opened (read-only) \??\O: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\Y: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\L: SVCHOST.EXE File opened (read-only) \??\Q: SPOOLSV.EXE File opened (read-only) \??\X: SPOOLSV.EXE File opened (read-only) \??\L: CTFMON.EXE File opened (read-only) \??\F: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\G: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\Q: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\X: bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\H: CTFMON.EXE File opened (read-only) \??\S: CTFMON.EXE File opened (read-only) \??\U: CTFMON.EXE File opened (read-only) \??\F: SVCHOST.EXE File opened (read-only) \??\P: SVCHOST.EXE File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\T: SPOOLSV.EXE File opened (read-only) \??\F: CTFMON.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\Root\VFS\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\docicon.exe bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe -
Drops file in Windows directory 4 IoCs
Processes:
SVCHOST.EXESPOOLSV.EXECTFMON.EXEbac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exedescription ioc process File opened for modification C:\Windows\Fonts\ Explorer.exe SVCHOST.EXE File opened for modification C:\Windows\Fonts\ Explorer.exe SPOOLSV.EXE File opened for modification C:\Windows\Fonts\ Explorer.exe CTFMON.EXE File opened for modification C:\Windows\Fonts\ Explorer.exe bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 29 IoCs
Processes:
SVCHOST.EXESPOOLSV.EXECTFMON.EXEbac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ CTFMON.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\TileInfo = "prop:Type;Size" SPOOLSV.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\QuickTip = "prop:Type;Size" bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" CTFMON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG\COMMAND bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" CTFMON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\InfoTip = "prop:Type;Write;Size" bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\InfoTip = "prop:Type;Write;Size" CTFMON.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\TileInfo = "prop:Type;Size" bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\QuickTip = "prop:Type;Size" CTFMON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\TileInfo = "prop:Type;Size" CTFMON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\QuickTip = "prop:Type;Size" SPOOLSV.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL\COMMAND bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2864 WINWORD.EXE 2864 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exeSPOOLSV.EXESVCHOST.EXECTFMON.EXEpid process 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 2176 SPOOLSV.EXE 2176 SPOOLSV.EXE 2176 SPOOLSV.EXE 2176 SPOOLSV.EXE 2176 SPOOLSV.EXE 2176 SPOOLSV.EXE 2176 SPOOLSV.EXE 2176 SPOOLSV.EXE 2176 SPOOLSV.EXE 2176 SPOOLSV.EXE 2176 SPOOLSV.EXE 2176 SPOOLSV.EXE 2688 SVCHOST.EXE 2688 SVCHOST.EXE 2688 SVCHOST.EXE 2688 SVCHOST.EXE 2688 SVCHOST.EXE 2688 SVCHOST.EXE 2688 SVCHOST.EXE 2688 SVCHOST.EXE 2688 SVCHOST.EXE 2688 SVCHOST.EXE 2688 SVCHOST.EXE 2688 SVCHOST.EXE 3776 CTFMON.EXE 3776 CTFMON.EXE 3776 CTFMON.EXE 3776 CTFMON.EXE 3776 CTFMON.EXE 3776 CTFMON.EXE 3776 CTFMON.EXE 3776 CTFMON.EXE 3776 CTFMON.EXE 3776 CTFMON.EXE 3776 CTFMON.EXE 3776 CTFMON.EXE 2176 SPOOLSV.EXE 2176 SPOOLSV.EXE 2176 SPOOLSV.EXE 2176 SPOOLSV.EXE 2176 SPOOLSV.EXE 2176 SPOOLSV.EXE 2176 SPOOLSV.EXE 2176 SPOOLSV.EXE 2176 SPOOLSV.EXE 2176 SPOOLSV.EXE 2176 SPOOLSV.EXE 2176 SPOOLSV.EXE 2688 SVCHOST.EXE 2688 SVCHOST.EXE 2688 SVCHOST.EXE 2688 SVCHOST.EXE -
Suspicious use of SetWindowsHookEx 23 IoCs
Processes:
bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exeSVCHOST.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXECTFMON.EXESPOOLSV.EXECTFMON.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXEWINWORD.EXEpid process 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe 2688 SVCHOST.EXE 4104 SVCHOST.EXE 2176 SPOOLSV.EXE 4676 SVCHOST.EXE 1040 SPOOLSV.EXE 3776 CTFMON.EXE 3520 SVCHOST.EXE 4940 SPOOLSV.EXE 5008 CTFMON.EXE 4768 CTFMON.EXE 864 SPOOLSV.EXE 4064 CTFMON.EXE 4724 SVCHOST.EXE 4748 SPOOLSV.EXE 1636 CTFMON.EXE 2864 WINWORD.EXE 2864 WINWORD.EXE 2864 WINWORD.EXE 2864 WINWORD.EXE 2864 WINWORD.EXE 2864 WINWORD.EXE 2864 WINWORD.EXE -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exeSVCHOST.EXESPOOLSV.EXECTFMON.EXEdescription pid process target process PID 1312 wrote to memory of 2688 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe SVCHOST.EXE PID 1312 wrote to memory of 2688 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe SVCHOST.EXE PID 1312 wrote to memory of 2688 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe SVCHOST.EXE PID 2688 wrote to memory of 4104 2688 SVCHOST.EXE SVCHOST.EXE PID 2688 wrote to memory of 4104 2688 SVCHOST.EXE SVCHOST.EXE PID 2688 wrote to memory of 4104 2688 SVCHOST.EXE SVCHOST.EXE PID 2688 wrote to memory of 2176 2688 SVCHOST.EXE SPOOLSV.EXE PID 2688 wrote to memory of 2176 2688 SVCHOST.EXE SPOOLSV.EXE PID 2688 wrote to memory of 2176 2688 SVCHOST.EXE SPOOLSV.EXE PID 2176 wrote to memory of 4676 2176 SPOOLSV.EXE SVCHOST.EXE PID 2176 wrote to memory of 4676 2176 SPOOLSV.EXE SVCHOST.EXE PID 2176 wrote to memory of 4676 2176 SPOOLSV.EXE SVCHOST.EXE PID 2176 wrote to memory of 1040 2176 SPOOLSV.EXE SPOOLSV.EXE PID 2176 wrote to memory of 1040 2176 SPOOLSV.EXE SPOOLSV.EXE PID 2176 wrote to memory of 1040 2176 SPOOLSV.EXE SPOOLSV.EXE PID 2176 wrote to memory of 3776 2176 SPOOLSV.EXE CTFMON.EXE PID 2176 wrote to memory of 3776 2176 SPOOLSV.EXE CTFMON.EXE PID 2176 wrote to memory of 3776 2176 SPOOLSV.EXE CTFMON.EXE PID 3776 wrote to memory of 3520 3776 CTFMON.EXE SVCHOST.EXE PID 3776 wrote to memory of 3520 3776 CTFMON.EXE SVCHOST.EXE PID 3776 wrote to memory of 3520 3776 CTFMON.EXE SVCHOST.EXE PID 3776 wrote to memory of 4940 3776 CTFMON.EXE SPOOLSV.EXE PID 3776 wrote to memory of 4940 3776 CTFMON.EXE SPOOLSV.EXE PID 3776 wrote to memory of 4940 3776 CTFMON.EXE SPOOLSV.EXE PID 3776 wrote to memory of 5008 3776 CTFMON.EXE CTFMON.EXE PID 3776 wrote to memory of 5008 3776 CTFMON.EXE CTFMON.EXE PID 3776 wrote to memory of 5008 3776 CTFMON.EXE CTFMON.EXE PID 2688 wrote to memory of 4768 2688 SVCHOST.EXE CTFMON.EXE PID 2688 wrote to memory of 4768 2688 SVCHOST.EXE CTFMON.EXE PID 2688 wrote to memory of 4768 2688 SVCHOST.EXE CTFMON.EXE PID 1312 wrote to memory of 864 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe SPOOLSV.EXE PID 1312 wrote to memory of 864 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe SPOOLSV.EXE PID 1312 wrote to memory of 864 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe SPOOLSV.EXE PID 1312 wrote to memory of 4064 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe CTFMON.EXE PID 1312 wrote to memory of 4064 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe CTFMON.EXE PID 1312 wrote to memory of 4064 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe CTFMON.EXE PID 1312 wrote to memory of 4724 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe SVCHOST.EXE PID 1312 wrote to memory of 4724 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe SVCHOST.EXE PID 1312 wrote to memory of 4724 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe SVCHOST.EXE PID 1312 wrote to memory of 4748 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe SPOOLSV.EXE PID 1312 wrote to memory of 4748 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe SPOOLSV.EXE PID 1312 wrote to memory of 4748 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe SPOOLSV.EXE PID 1312 wrote to memory of 1636 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe CTFMON.EXE PID 1312 wrote to memory of 1636 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe CTFMON.EXE PID 1312 wrote to memory of 1636 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe CTFMON.EXE PID 1312 wrote to memory of 2864 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe WINWORD.EXE PID 1312 wrote to memory of 2864 1312 bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe"C:\Users\Admin\AppData\Local\Temp\bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recycled\CTFMON.EXEFilesize
42KB
MD5fe3e5e19a06de54942f5fe4e60c2827b
SHA1b17c3c6916d201b82709ac4cc2a5fb8a9efd672b
SHA256adc28e08902c171e46f05f119316acd9f82a1a41a872b22733f581fc697a53cf
SHA512aa2e019c3525fc6b9285b0b354b32dd1203188bcba060681795f1edd9ef8328352bc98f31ce25d673cb6c56007235ec7f957f5994314242d1b6efea564f9bc30
-
C:\Recycled\CTFMON.EXEFilesize
42KB
MD5fe3e5e19a06de54942f5fe4e60c2827b
SHA1b17c3c6916d201b82709ac4cc2a5fb8a9efd672b
SHA256adc28e08902c171e46f05f119316acd9f82a1a41a872b22733f581fc697a53cf
SHA512aa2e019c3525fc6b9285b0b354b32dd1203188bcba060681795f1edd9ef8328352bc98f31ce25d673cb6c56007235ec7f957f5994314242d1b6efea564f9bc30
-
C:\Recycled\CTFMON.EXEFilesize
42KB
MD5fe3e5e19a06de54942f5fe4e60c2827b
SHA1b17c3c6916d201b82709ac4cc2a5fb8a9efd672b
SHA256adc28e08902c171e46f05f119316acd9f82a1a41a872b22733f581fc697a53cf
SHA512aa2e019c3525fc6b9285b0b354b32dd1203188bcba060681795f1edd9ef8328352bc98f31ce25d673cb6c56007235ec7f957f5994314242d1b6efea564f9bc30
-
C:\Recycled\CTFMON.EXEFilesize
42KB
MD5fe3e5e19a06de54942f5fe4e60c2827b
SHA1b17c3c6916d201b82709ac4cc2a5fb8a9efd672b
SHA256adc28e08902c171e46f05f119316acd9f82a1a41a872b22733f581fc697a53cf
SHA512aa2e019c3525fc6b9285b0b354b32dd1203188bcba060681795f1edd9ef8328352bc98f31ce25d673cb6c56007235ec7f957f5994314242d1b6efea564f9bc30
-
C:\Recycled\CTFMON.EXEFilesize
42KB
MD5fe3e5e19a06de54942f5fe4e60c2827b
SHA1b17c3c6916d201b82709ac4cc2a5fb8a9efd672b
SHA256adc28e08902c171e46f05f119316acd9f82a1a41a872b22733f581fc697a53cf
SHA512aa2e019c3525fc6b9285b0b354b32dd1203188bcba060681795f1edd9ef8328352bc98f31ce25d673cb6c56007235ec7f957f5994314242d1b6efea564f9bc30
-
C:\Recycled\SPOOLSV.EXEFilesize
42KB
MD54c0754bef44eb4a375e002572eaf4393
SHA13d68c1b32b7b6bfc9560cb2cdd3f23bc0634562c
SHA2565ae11ee4b409fc1daae6d0a90dbdca0e6d1fcc0eae1561a0ad852b6594da0ce5
SHA512b5fcfac68f93392a7a3a0ff7651a1575139fafae136d7103eda066ef4d33362ebf6aa13795693787ea553f828f75b47eb60e328066470ea42badd7c5d4608fd9
-
C:\Recycled\SPOOLSV.EXEFilesize
42KB
MD54c0754bef44eb4a375e002572eaf4393
SHA13d68c1b32b7b6bfc9560cb2cdd3f23bc0634562c
SHA2565ae11ee4b409fc1daae6d0a90dbdca0e6d1fcc0eae1561a0ad852b6594da0ce5
SHA512b5fcfac68f93392a7a3a0ff7651a1575139fafae136d7103eda066ef4d33362ebf6aa13795693787ea553f828f75b47eb60e328066470ea42badd7c5d4608fd9
-
C:\Recycled\SPOOLSV.EXEFilesize
42KB
MD54c0754bef44eb4a375e002572eaf4393
SHA13d68c1b32b7b6bfc9560cb2cdd3f23bc0634562c
SHA2565ae11ee4b409fc1daae6d0a90dbdca0e6d1fcc0eae1561a0ad852b6594da0ce5
SHA512b5fcfac68f93392a7a3a0ff7651a1575139fafae136d7103eda066ef4d33362ebf6aa13795693787ea553f828f75b47eb60e328066470ea42badd7c5d4608fd9
-
C:\Recycled\SPOOLSV.EXEFilesize
42KB
MD54c0754bef44eb4a375e002572eaf4393
SHA13d68c1b32b7b6bfc9560cb2cdd3f23bc0634562c
SHA2565ae11ee4b409fc1daae6d0a90dbdca0e6d1fcc0eae1561a0ad852b6594da0ce5
SHA512b5fcfac68f93392a7a3a0ff7651a1575139fafae136d7103eda066ef4d33362ebf6aa13795693787ea553f828f75b47eb60e328066470ea42badd7c5d4608fd9
-
C:\Recycled\SPOOLSV.EXEFilesize
42KB
MD54c0754bef44eb4a375e002572eaf4393
SHA13d68c1b32b7b6bfc9560cb2cdd3f23bc0634562c
SHA2565ae11ee4b409fc1daae6d0a90dbdca0e6d1fcc0eae1561a0ad852b6594da0ce5
SHA512b5fcfac68f93392a7a3a0ff7651a1575139fafae136d7103eda066ef4d33362ebf6aa13795693787ea553f828f75b47eb60e328066470ea42badd7c5d4608fd9
-
C:\Recycled\SVCHOST.EXEFilesize
42KB
MD53203bd7a4fd55dda6257bce7413065b1
SHA1921170c9fa715a80cafc57b8ae16c2e55bd3014f
SHA256643ba1c1c8ca3a22a66fd9de02524e741f9ec9cd3fd82f307c6a30770771d769
SHA512070dc2dd2020f3283e9ff968eeb9583853a708d23705990bc3451e93120b0a9cc35bab0f096eb1ad68be57d3603190d79a7a66b0c54dfbf6450d095bf3b7c6e5
-
C:\Recycled\SVCHOST.EXEFilesize
42KB
MD53203bd7a4fd55dda6257bce7413065b1
SHA1921170c9fa715a80cafc57b8ae16c2e55bd3014f
SHA256643ba1c1c8ca3a22a66fd9de02524e741f9ec9cd3fd82f307c6a30770771d769
SHA512070dc2dd2020f3283e9ff968eeb9583853a708d23705990bc3451e93120b0a9cc35bab0f096eb1ad68be57d3603190d79a7a66b0c54dfbf6450d095bf3b7c6e5
-
C:\Recycled\SVCHOST.EXEFilesize
42KB
MD53203bd7a4fd55dda6257bce7413065b1
SHA1921170c9fa715a80cafc57b8ae16c2e55bd3014f
SHA256643ba1c1c8ca3a22a66fd9de02524e741f9ec9cd3fd82f307c6a30770771d769
SHA512070dc2dd2020f3283e9ff968eeb9583853a708d23705990bc3451e93120b0a9cc35bab0f096eb1ad68be57d3603190d79a7a66b0c54dfbf6450d095bf3b7c6e5
-
C:\Recycled\SVCHOST.EXEFilesize
42KB
MD53203bd7a4fd55dda6257bce7413065b1
SHA1921170c9fa715a80cafc57b8ae16c2e55bd3014f
SHA256643ba1c1c8ca3a22a66fd9de02524e741f9ec9cd3fd82f307c6a30770771d769
SHA512070dc2dd2020f3283e9ff968eeb9583853a708d23705990bc3451e93120b0a9cc35bab0f096eb1ad68be57d3603190d79a7a66b0c54dfbf6450d095bf3b7c6e5
-
C:\Recycled\SVCHOST.EXEFilesize
42KB
MD53203bd7a4fd55dda6257bce7413065b1
SHA1921170c9fa715a80cafc57b8ae16c2e55bd3014f
SHA256643ba1c1c8ca3a22a66fd9de02524e741f9ec9cd3fd82f307c6a30770771d769
SHA512070dc2dd2020f3283e9ff968eeb9583853a708d23705990bc3451e93120b0a9cc35bab0f096eb1ad68be57d3603190d79a7a66b0c54dfbf6450d095bf3b7c6e5
-
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txtFilesize
2KB
MD51a1dce35d60d2c70ca8894954fd5d384
SHA158547dd65d506c892290755010d0232da34ee000
SHA2562661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c
SHA5124abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e
-
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txtFilesize
2KB
MD51a1dce35d60d2c70ca8894954fd5d384
SHA158547dd65d506c892290755010d0232da34ee000
SHA2562661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c
SHA5124abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e
-
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txtFilesize
2KB
MD51a1dce35d60d2c70ca8894954fd5d384
SHA158547dd65d506c892290755010d0232da34ee000
SHA2562661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c
SHA5124abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e
-
C:\Windows\Fonts\ Explorer.exeFilesize
42KB
MD577d08501ad35a2b70244006a3e708a1e
SHA12e45133580e06e2e3fdfd39360fe0e553dade9ec
SHA25627cb439c2fb7cbb84dc46faaf6e8520fb163466a00cb429f0c9e35a053c824f3
SHA512d5e3bf74b02e2a64e1f98565005d0d9744c56cc22c341ec1c774a40370f24eb7bd020bac46e08db196d14236bf339603ef0d38a4ba15bf92820d81eb4bd1d6bd
-
C:\Windows\Fonts\ Explorer.exeFilesize
42KB
MD5c475907c060f521982747a97fc639713
SHA190ad2c0061490f2c9abc02f6fb0bfa7b729310b4
SHA256ccd62fdc475f795df38dd3e36612fb86658181d451ae323bc8daa9192f441bb0
SHA5121806999d1ad200e6623e58fa3613bb8a0e69e3d1395fe49c13b7db5e7ddd10057215ae556a873e4f0c4a4b13bf045d4e27328d9c258b3fb079b40838c329d720
-
C:\Windows\Fonts\ Explorer.exeFilesize
42KB
MD5a43b9106400e12218d4ee653a313517c
SHA1eb144102993c6f1d00dbecc30a5bfc45d07b0958
SHA25684ef632004e2165fbd721de095be0c3501a50f0d08b341e9b601b2a282c84cb3
SHA512b8936c307297030ea430d377de6975d74562e6f9a8e8c5f0683eab26cff910874f48740da0a7a4c4759c437162ac7d09f9cc5f13b234fb8158d0bb372aaac1a4
-
C:\recycled\CTFMON.EXEFilesize
42KB
MD5fe3e5e19a06de54942f5fe4e60c2827b
SHA1b17c3c6916d201b82709ac4cc2a5fb8a9efd672b
SHA256adc28e08902c171e46f05f119316acd9f82a1a41a872b22733f581fc697a53cf
SHA512aa2e019c3525fc6b9285b0b354b32dd1203188bcba060681795f1edd9ef8328352bc98f31ce25d673cb6c56007235ec7f957f5994314242d1b6efea564f9bc30
-
C:\recycled\SPOOLSV.EXEFilesize
42KB
MD54c0754bef44eb4a375e002572eaf4393
SHA13d68c1b32b7b6bfc9560cb2cdd3f23bc0634562c
SHA2565ae11ee4b409fc1daae6d0a90dbdca0e6d1fcc0eae1561a0ad852b6594da0ce5
SHA512b5fcfac68f93392a7a3a0ff7651a1575139fafae136d7103eda066ef4d33362ebf6aa13795693787ea553f828f75b47eb60e328066470ea42badd7c5d4608fd9
-
C:\recycled\SVCHOST.EXEFilesize
42KB
MD53203bd7a4fd55dda6257bce7413065b1
SHA1921170c9fa715a80cafc57b8ae16c2e55bd3014f
SHA256643ba1c1c8ca3a22a66fd9de02524e741f9ec9cd3fd82f307c6a30770771d769
SHA512070dc2dd2020f3283e9ff968eeb9583853a708d23705990bc3451e93120b0a9cc35bab0f096eb1ad68be57d3603190d79a7a66b0c54dfbf6450d095bf3b7c6e5
-
memory/864-197-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/864-191-0x0000000000000000-mapping.dmp
-
memory/1040-162-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1040-157-0x0000000000000000-mapping.dmp
-
memory/1312-132-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1312-221-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1636-215-0x0000000000000000-mapping.dmp
-
memory/1636-219-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2176-145-0x0000000000000000-mapping.dmp
-
memory/2176-229-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2176-165-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2688-230-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2688-135-0x0000000000000000-mapping.dmp
-
memory/2688-164-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2864-223-0x00007FF8FBB30000-0x00007FF8FBB40000-memory.dmpFilesize
64KB
-
memory/2864-227-0x00007FF8F9330000-0x00007FF8F9340000-memory.dmpFilesize
64KB
-
memory/2864-228-0x00007FF8F9330000-0x00007FF8F9340000-memory.dmpFilesize
64KB
-
memory/2864-225-0x00007FF8FBB30000-0x00007FF8FBB40000-memory.dmpFilesize
64KB
-
memory/2864-226-0x00007FF8FBB30000-0x00007FF8FBB40000-memory.dmpFilesize
64KB
-
memory/2864-220-0x0000000000000000-mapping.dmp
-
memory/2864-222-0x00007FF8FBB30000-0x00007FF8FBB40000-memory.dmpFilesize
64KB
-
memory/2864-224-0x00007FF8FBB30000-0x00007FF8FBB40000-memory.dmpFilesize
64KB
-
memory/3520-176-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3520-172-0x0000000000000000-mapping.dmp
-
memory/3776-206-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3776-163-0x0000000000000000-mapping.dmp
-
memory/4064-203-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4064-196-0x0000000000000000-mapping.dmp
-
memory/4104-146-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4104-141-0x0000000000000000-mapping.dmp
-
memory/4676-158-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4676-153-0x0000000000000000-mapping.dmp
-
memory/4724-207-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4724-210-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4724-202-0x0000000000000000-mapping.dmp
-
memory/4748-214-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4748-209-0x0000000000000000-mapping.dmp
-
memory/4768-192-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4768-186-0x0000000000000000-mapping.dmp
-
memory/4940-181-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4940-177-0x0000000000000000-mapping.dmp
-
memory/5008-187-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/5008-182-0x0000000000000000-mapping.dmp