c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463

Analysis

max time kernel
150s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
Size

42KB
MD5

0190aa691ecb51be01cb7debbb4177be
SHA1

6850673e1d151c4d63b4a97eb1faa70d6cdbd3ba
SHA256

c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463
SHA512

3d975be4d16e1c154437e574058ad18f41b9e4115cd51d78a77e9a6f51bc2b466573a0bf3859304125dc35e0d4727c1378a3b9f27ce5756a2f8650724842559d
SSDEEP

768:gyz0/XBwayCUOwV3TNZHdrPeqzEWvpbPwSMX6+w6pqZxLdeVgol9D88888888885:hzOCay4wV339rPjzbpLwRJ9pSdoIs

Score

10^/10

aspackv2 evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

SVCHOST.EXEc577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exeCTFMON.EXESPOOLSV.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	CTFMON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	CTFMON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	SVCHOST.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

CTFMON.EXESPOOLSV.EXESVCHOST.EXEc577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	CTFMON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SPOOLSV.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

CTFMON.EXESPOOLSV.EXESVCHOST.EXEc577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	CTFMON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe

ASPack v2.12-2.42 33 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Recycled\SVCHOST.EXE	aspack_v212_v242
\Recycled\SVCHOST.EXE	aspack_v212_v242
C:\Recycled\SVCHOST.EXE	aspack_v212_v242
C:\recycled\SVCHOST.exe	aspack_v212_v242
C:\Windows\Fonts\ Explorer.exe	aspack_v212_v242
C:\Recycled\SVCHOST.EXE	aspack_v212_v242
\Recycled\SPOOLSV.EXE	aspack_v212_v242
C:\recycled\SPOOLSV.EXE	aspack_v212_v242
\Recycled\SPOOLSV.EXE	aspack_v212_v242
C:\Recycled\SPOOLSV.EXE	aspack_v212_v242
C:\Windows\Fonts\ Explorer.exe	aspack_v212_v242
\Recycled\SVCHOST.EXE	aspack_v212_v242
C:\Recycled\SVCHOST.EXE	aspack_v212_v242
\Recycled\SPOOLSV.EXE	aspack_v212_v242
C:\Recycled\SPOOLSV.EXE	aspack_v212_v242
\Recycled\CTFMON.EXE	aspack_v212_v242
C:\recycled\CTFMON.EXE	aspack_v212_v242
\Recycled\CTFMON.EXE	aspack_v212_v242
C:\Recycled\CTFMON.EXE	aspack_v212_v242
C:\Recycled\SVCHOST.EXE	aspack_v212_v242
C:\Windows\Fonts\ Explorer.exe	aspack_v212_v242
\Recycled\SVCHOST.EXE	aspack_v212_v242
\Recycled\SPOOLSV.EXE	aspack_v212_v242
\Recycled\SPOOLSV.EXE	aspack_v212_v242
C:\Recycled\SPOOLSV.EXE	aspack_v212_v242
C:\Recycled\CTFMON.EXE	aspack_v212_v242
C:\Recycled\CTFMON.EXE	aspack_v212_v242
\Recycled\CTFMON.EXE	aspack_v212_v242
\Recycled\SPOOLSV.EXE	aspack_v212_v242
\Recycled\SPOOLSV.EXE	aspack_v212_v242
C:\Recycled\SPOOLSV.EXE	aspack_v212_v242
\Recycled\CTFMON.EXE	aspack_v212_v242
C:\Recycled\CTFMON.EXE	aspack_v212_v242

Executes dropped EXE 12 IoCs

Processes:

SVCHOST.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXECTFMON.EXESPOOLSV.EXECTFMON.EXE

pid	process
900	SVCHOST.EXE
1076	SVCHOST.EXE
332	SPOOLSV.EXE
868	SVCHOST.EXE
1656	SPOOLSV.EXE
1276	CTFMON.EXE
688	SVCHOST.EXE
892	SPOOLSV.EXE
1984	CTFMON.EXE
1268	CTFMON.EXE
784	SPOOLSV.EXE
1412	CTFMON.EXE

Loads dropped DLL 15 IoCs

Processes:

c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exeSVCHOST.EXESPOOLSV.EXECTFMON.EXE

pid	process
1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
900	SVCHOST.EXE
900	SVCHOST.EXE
332	SPOOLSV.EXE
332	SPOOLSV.EXE
332	SPOOLSV.EXE
332	SPOOLSV.EXE
1276	CTFMON.EXE
1276	CTFMON.EXE
1276	CTFMON.EXE
900	SVCHOST.EXE
1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe

description ioc process

File opened for modification C:\Recycled\desktop.ini c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe

description	ioc	process
File opened for modification	C:\Recycled\desktop.ini	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

CTFMON.EXEc577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exeSVCHOST.EXESPOOLSV.EXE

description	ioc	process
File opened (read-only)	\??\W:	CTFMON.EXE
File opened (read-only)	\??\F:	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\I:	SVCHOST.EXE
File opened (read-only)	\??\Z:	SVCHOST.EXE
File opened (read-only)	\??\M:	SPOOLSV.EXE
File opened (read-only)	\??\J:	CTFMON.EXE
File opened (read-only)	\??\M:	CTFMON.EXE
File opened (read-only)	\??\K:	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
File opened (read-only)	\??\F:	SPOOLSV.EXE
File opened (read-only)	\??\H:	SPOOLSV.EXE
File opened (read-only)	\??\T:	SPOOLSV.EXE
File opened (read-only)	\??\O:	CTFMON.EXE
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\K:	SPOOLSV.EXE
File opened (read-only)	\??\X:	SPOOLSV.EXE
File opened (read-only)	\??\G:	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
File opened (read-only)	\??\Q:	SVCHOST.EXE
File opened (read-only)	\??\R:	SVCHOST.EXE
File opened (read-only)	\??\E:	SPOOLSV.EXE
File opened (read-only)	\??\H:	CTFMON.EXE
File opened (read-only)	\??\V:	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
File opened (read-only)	\??\X:	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
File opened (read-only)	\??\F:	SVCHOST.EXE
File opened (read-only)	\??\P:	SPOOLSV.EXE
File opened (read-only)	\??\L:	CTFMON.EXE
File opened (read-only)	\??\V:	CTFMON.EXE
File opened (read-only)	\??\M:	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
File opened (read-only)	\??\Q:	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
File opened (read-only)	\??\M:	SVCHOST.EXE
File opened (read-only)	\??\T:	CTFMON.EXE
File opened (read-only)	\??\X:	CTFMON.EXE
File opened (read-only)	\??\N:	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
File opened (read-only)	\??\T:	SVCHOST.EXE
File opened (read-only)	\??\Y:	SVCHOST.EXE
File opened (read-only)	\??\Z:	SPOOLSV.EXE
File opened (read-only)	\??\K:	SVCHOST.EXE
File opened (read-only)	\??\L:	SPOOLSV.EXE
File opened (read-only)	\??\U:	SPOOLSV.EXE
File opened (read-only)	\??\S:	CTFMON.EXE
File opened (read-only)	\??\H:	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
File opened (read-only)	\??\S:	SVCHOST.EXE
File opened (read-only)	\??\G:	CTFMON.EXE
File opened (read-only)	\??\I:	CTFMON.EXE
File opened (read-only)	\??\S:	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
File opened (read-only)	\??\U:	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
File opened (read-only)	\??\W:	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
File opened (read-only)	\??\H:	SVCHOST.EXE
File opened (read-only)	\??\X:	SVCHOST.EXE
File opened (read-only)	\??\V:	SPOOLSV.EXE
File opened (read-only)	\??\Y:	CTFMON.EXE
File opened (read-only)	\??\N:	SVCHOST.EXE
File opened (read-only)	\??\Q:	SPOOLSV.EXE
File opened (read-only)	\??\W:	SPOOLSV.EXE
File opened (read-only)	\??\E:	CTFMON.EXE
File opened (read-only)	\??\R:	CTFMON.EXE
File opened (read-only)	\??\O:	SVCHOST.EXE
File opened (read-only)	\??\N:	SPOOLSV.EXE
File opened (read-only)	\??\Y:	SPOOLSV.EXE
File opened (read-only)	\??\Z:	CTFMON.EXE
File opened (read-only)	\??\Z:	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
File opened (read-only)	\??\G:	SPOOLSV.EXE
File opened (read-only)	\??\I:	SPOOLSV.EXE
File opened (read-only)	\??\J:	SPOOLSV.EXE

Drops file in Windows directory 6 IoCs

Processes:

c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exeSVCHOST.EXESPOOLSV.EXECTFMON.EXEWINWORD.EXE

description	ioc	process
File opened for modification	C:\Windows\Fonts\ Explorer.exe	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
File opened for modification	C:\Windows\Fonts\ Explorer.exe	SVCHOST.EXE
File opened for modification	C:\Windows\Fonts\ Explorer.exe	SPOOLSV.EXE
File opened for modification	C:\Windows\Fonts\ Explorer.exe	CTFMON.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXEc577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exeSPOOLSV.EXECTFMON.EXESVCHOST.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SPOOLSV.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	CTFMON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SPOOLSV.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1908 WINWORD.EXE

pid	process
1908	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SPOOLSV.EXESVCHOST.EXECTFMON.EXEc577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe

pid	process
332	SPOOLSV.EXE
332	SPOOLSV.EXE
332	SPOOLSV.EXE
332	SPOOLSV.EXE
332	SPOOLSV.EXE
332	SPOOLSV.EXE
332	SPOOLSV.EXE
332	SPOOLSV.EXE
900	SVCHOST.EXE
900	SVCHOST.EXE
900	SVCHOST.EXE
900	SVCHOST.EXE
900	SVCHOST.EXE
1276	CTFMON.EXE
1276	CTFMON.EXE
1276	CTFMON.EXE
1276	CTFMON.EXE
1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
332	SPOOLSV.EXE
1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
1276	CTFMON.EXE
1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
1276	CTFMON.EXE
1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
1276	CTFMON.EXE
1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
1276	CTFMON.EXE
900	SVCHOST.EXE
332	SPOOLSV.EXE
332	SPOOLSV.EXE
332	SPOOLSV.EXE
900	SVCHOST.EXE
900	SVCHOST.EXE
900	SVCHOST.EXE
1276	CTFMON.EXE
1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
1276	CTFMON.EXE
1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
1276	CTFMON.EXE
1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
1276	CTFMON.EXE
1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
332	SPOOLSV.EXE
332	SPOOLSV.EXE
332	SPOOLSV.EXE
332	SPOOLSV.EXE
900	SVCHOST.EXE
900	SVCHOST.EXE
900	SVCHOST.EXE
900	SVCHOST.EXE
1276	CTFMON.EXE
1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
1276	CTFMON.EXE
1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
1276	CTFMON.EXE
1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
1276	CTFMON.EXE
1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
332	SPOOLSV.EXE
332	SPOOLSV.EXE
332	SPOOLSV.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exeSVCHOST.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXECTFMON.EXESPOOLSV.EXECTFMON.EXEWINWORD.EXE

pid	process
1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
900	SVCHOST.EXE
1076	SVCHOST.EXE
332	SPOOLSV.EXE
868	SVCHOST.EXE
1656	SPOOLSV.EXE
1276	CTFMON.EXE
688	SVCHOST.EXE
892	SPOOLSV.EXE
1984	CTFMON.EXE
1268	CTFMON.EXE
784	SPOOLSV.EXE
1412	CTFMON.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exeSVCHOST.EXESPOOLSV.EXECTFMON.EXE

description	pid	process	target process
PID 1552 wrote to memory of 900	1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe	SVCHOST.EXE
PID 1552 wrote to memory of 900	1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe	SVCHOST.EXE
PID 1552 wrote to memory of 900	1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe	SVCHOST.EXE
PID 1552 wrote to memory of 900	1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe	SVCHOST.EXE
PID 900 wrote to memory of 1076	900	SVCHOST.EXE	SVCHOST.EXE
PID 900 wrote to memory of 1076	900	SVCHOST.EXE	SVCHOST.EXE
PID 900 wrote to memory of 1076	900	SVCHOST.EXE	SVCHOST.EXE
PID 900 wrote to memory of 1076	900	SVCHOST.EXE	SVCHOST.EXE
PID 900 wrote to memory of 332	900	SVCHOST.EXE	SPOOLSV.EXE
PID 900 wrote to memory of 332	900	SVCHOST.EXE	SPOOLSV.EXE
PID 900 wrote to memory of 332	900	SVCHOST.EXE	SPOOLSV.EXE
PID 900 wrote to memory of 332	900	SVCHOST.EXE	SPOOLSV.EXE
PID 332 wrote to memory of 868	332	SPOOLSV.EXE	SVCHOST.EXE
PID 332 wrote to memory of 868	332	SPOOLSV.EXE	SVCHOST.EXE
PID 332 wrote to memory of 868	332	SPOOLSV.EXE	SVCHOST.EXE
PID 332 wrote to memory of 868	332	SPOOLSV.EXE	SVCHOST.EXE
PID 332 wrote to memory of 1656	332	SPOOLSV.EXE	SPOOLSV.EXE
PID 332 wrote to memory of 1656	332	SPOOLSV.EXE	SPOOLSV.EXE
PID 332 wrote to memory of 1656	332	SPOOLSV.EXE	SPOOLSV.EXE
PID 332 wrote to memory of 1656	332	SPOOLSV.EXE	SPOOLSV.EXE
PID 332 wrote to memory of 1276	332	SPOOLSV.EXE	CTFMON.EXE
PID 332 wrote to memory of 1276	332	SPOOLSV.EXE	CTFMON.EXE
PID 332 wrote to memory of 1276	332	SPOOLSV.EXE	CTFMON.EXE
PID 332 wrote to memory of 1276	332	SPOOLSV.EXE	CTFMON.EXE
PID 1276 wrote to memory of 688	1276	CTFMON.EXE	SVCHOST.EXE
PID 1276 wrote to memory of 688	1276	CTFMON.EXE	SVCHOST.EXE
PID 1276 wrote to memory of 688	1276	CTFMON.EXE	SVCHOST.EXE
PID 1276 wrote to memory of 688	1276	CTFMON.EXE	SVCHOST.EXE
PID 1276 wrote to memory of 892	1276	CTFMON.EXE	SPOOLSV.EXE
PID 1276 wrote to memory of 892	1276	CTFMON.EXE	SPOOLSV.EXE
PID 1276 wrote to memory of 892	1276	CTFMON.EXE	SPOOLSV.EXE
PID 1276 wrote to memory of 892	1276	CTFMON.EXE	SPOOLSV.EXE
PID 1276 wrote to memory of 1984	1276	CTFMON.EXE	CTFMON.EXE
PID 1276 wrote to memory of 1984	1276	CTFMON.EXE	CTFMON.EXE
PID 1276 wrote to memory of 1984	1276	CTFMON.EXE	CTFMON.EXE
PID 1276 wrote to memory of 1984	1276	CTFMON.EXE	CTFMON.EXE
PID 900 wrote to memory of 1268	900	SVCHOST.EXE	CTFMON.EXE
PID 900 wrote to memory of 1268	900	SVCHOST.EXE	CTFMON.EXE
PID 900 wrote to memory of 1268	900	SVCHOST.EXE	CTFMON.EXE
PID 900 wrote to memory of 1268	900	SVCHOST.EXE	CTFMON.EXE
PID 1552 wrote to memory of 784	1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe	SPOOLSV.EXE
PID 1552 wrote to memory of 784	1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe	SPOOLSV.EXE
PID 1552 wrote to memory of 784	1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe	SPOOLSV.EXE
PID 1552 wrote to memory of 784	1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe	SPOOLSV.EXE
PID 1552 wrote to memory of 1412	1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe	CTFMON.EXE
PID 1552 wrote to memory of 1412	1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe	CTFMON.EXE
PID 1552 wrote to memory of 1412	1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe	CTFMON.EXE
PID 1552 wrote to memory of 1412	1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe	CTFMON.EXE
PID 1552 wrote to memory of 1908	1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe	WINWORD.EXE
PID 1552 wrote to memory of 1908	1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe	WINWORD.EXE
PID 1552 wrote to memory of 1908	1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe	WINWORD.EXE
PID 1552 wrote to memory of 1908	1552	c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
"C:\Users\Admin\AppData\Local\Temp\c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1552

C:\recycled\SVCHOST.EXE
C:\recycled\SVCHOST.EXE :agent
2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:900

C:\recycled\SVCHOST.EXE
C:\recycled\SVCHOST.EXE :agent
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1076

C:\recycled\SPOOLSV.EXE
C:\recycled\SPOOLSV.EXE :agent
3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:332

C:\recycled\SVCHOST.EXE
C:\recycled\SVCHOST.EXE :agent
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:868

C:\recycled\SPOOLSV.EXE
C:\recycled\SPOOLSV.EXE :agent
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1656

C:\recycled\CTFMON.EXE
C:\recycled\CTFMON.EXE :agent
4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1276

C:\recycled\SVCHOST.EXE
C:\recycled\SVCHOST.EXE :agent
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:688

C:\recycled\SPOOLSV.EXE
C:\recycled\SPOOLSV.EXE :agent
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:892

C:\recycled\CTFMON.EXE
C:\recycled\CTFMON.EXE :agent
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1984

C:\recycled\CTFMON.EXE
C:\recycled\CTFMON.EXE :agent
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1268

C:\recycled\SPOOLSV.EXE
C:\recycled\SPOOLSV.EXE :agent
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:784

C:\recycled\CTFMON.EXE
C:\recycled\CTFMON.EXE :agent
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1412

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.doc"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1908

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recycled\CTFMON.EXE
Filesize
42KB

MD5
05ad0c5b4471dd12ddfb21dd3eb2e940

SHA1
0cc5d4d81e57824323849f483134eb7e0c62d084

SHA256
d0a82eb322ac8775c7055b326cb99ec27dd8d059dfa979ff3179ff577a8d4e4b

SHA512
86f7190d32ec5942890b7f4fb53dc9f0cafd54cb06caa025c12a35ebe7c0a9cbf6a44814e699ea1d194ca5068630ae1a2da3d8369dff5bccd1fa98d6ed5ebd18

Download Submit
C:\Recycled\CTFMON.EXE
Filesize
42KB

MD5
05ad0c5b4471dd12ddfb21dd3eb2e940

SHA1
0cc5d4d81e57824323849f483134eb7e0c62d084

SHA256
d0a82eb322ac8775c7055b326cb99ec27dd8d059dfa979ff3179ff577a8d4e4b

SHA512
86f7190d32ec5942890b7f4fb53dc9f0cafd54cb06caa025c12a35ebe7c0a9cbf6a44814e699ea1d194ca5068630ae1a2da3d8369dff5bccd1fa98d6ed5ebd18

Download Submit
C:\Recycled\CTFMON.EXE
Filesize
42KB

MD5
05ad0c5b4471dd12ddfb21dd3eb2e940

SHA1
0cc5d4d81e57824323849f483134eb7e0c62d084

SHA256
d0a82eb322ac8775c7055b326cb99ec27dd8d059dfa979ff3179ff577a8d4e4b

SHA512
86f7190d32ec5942890b7f4fb53dc9f0cafd54cb06caa025c12a35ebe7c0a9cbf6a44814e699ea1d194ca5068630ae1a2da3d8369dff5bccd1fa98d6ed5ebd18

Download Submit
C:\Recycled\CTFMON.EXE
Filesize
42KB

MD5
05ad0c5b4471dd12ddfb21dd3eb2e940

SHA1
0cc5d4d81e57824323849f483134eb7e0c62d084

SHA256
d0a82eb322ac8775c7055b326cb99ec27dd8d059dfa979ff3179ff577a8d4e4b

SHA512
86f7190d32ec5942890b7f4fb53dc9f0cafd54cb06caa025c12a35ebe7c0a9cbf6a44814e699ea1d194ca5068630ae1a2da3d8369dff5bccd1fa98d6ed5ebd18

Download Submit
C:\Recycled\SPOOLSV.EXE
Filesize
42KB

MD5
95b2e36a2341e8f09e44a5fbe5515a24

SHA1
417368385b77da8c736a194464f2d63e4eaffe2d

SHA256
f5f978974f2ed85ef0191af19f563a9501b7857a017ffbc11c0cfe3f42b5e266

SHA512
68eec94e354ee555312fa328158b92589c871b7ab486277f2d81cfa45964ee4520116e457417c24197a16979693a2f486f1427ca5b3eb1781dc76c85be088eff

Download Submit
C:\Recycled\SPOOLSV.EXE
Filesize
42KB

MD5
95b2e36a2341e8f09e44a5fbe5515a24

SHA1
417368385b77da8c736a194464f2d63e4eaffe2d

SHA256
f5f978974f2ed85ef0191af19f563a9501b7857a017ffbc11c0cfe3f42b5e266

SHA512
68eec94e354ee555312fa328158b92589c871b7ab486277f2d81cfa45964ee4520116e457417c24197a16979693a2f486f1427ca5b3eb1781dc76c85be088eff

Download Submit
C:\Recycled\SPOOLSV.EXE
Filesize
42KB

MD5
95b2e36a2341e8f09e44a5fbe5515a24

SHA1
417368385b77da8c736a194464f2d63e4eaffe2d

SHA256
f5f978974f2ed85ef0191af19f563a9501b7857a017ffbc11c0cfe3f42b5e266

SHA512
68eec94e354ee555312fa328158b92589c871b7ab486277f2d81cfa45964ee4520116e457417c24197a16979693a2f486f1427ca5b3eb1781dc76c85be088eff

Download Submit
C:\Recycled\SPOOLSV.EXE
Filesize
42KB

MD5
95b2e36a2341e8f09e44a5fbe5515a24

SHA1
417368385b77da8c736a194464f2d63e4eaffe2d

SHA256
f5f978974f2ed85ef0191af19f563a9501b7857a017ffbc11c0cfe3f42b5e266

SHA512
68eec94e354ee555312fa328158b92589c871b7ab486277f2d81cfa45964ee4520116e457417c24197a16979693a2f486f1427ca5b3eb1781dc76c85be088eff

Download Submit
C:\Recycled\SVCHOST.EXE
Filesize
42KB

MD5
ac6f308c2d70698187b0bc31912921d7

SHA1
4e9c232360c490d85eaa7784496752bb39e27ed7

SHA256
63e8197457e189557a8533cc4388b6a0cf5a036f7eafdfb7b82f689f89c3d3fe

SHA512
56d6eabd69825167705861cd86a84274f322d448440352c6280b9f67e2d13fa52aaf2580b397583b52573114425da3cfe070a3c02a01f031150b886929069027

Download Submit
C:\Recycled\SVCHOST.EXE
Filesize
42KB

MD5
ac6f308c2d70698187b0bc31912921d7

SHA1
4e9c232360c490d85eaa7784496752bb39e27ed7

SHA256
63e8197457e189557a8533cc4388b6a0cf5a036f7eafdfb7b82f689f89c3d3fe

SHA512
56d6eabd69825167705861cd86a84274f322d448440352c6280b9f67e2d13fa52aaf2580b397583b52573114425da3cfe070a3c02a01f031150b886929069027

Download Submit
C:\Recycled\SVCHOST.EXE
Filesize
42KB

MD5
ac6f308c2d70698187b0bc31912921d7

SHA1
4e9c232360c490d85eaa7784496752bb39e27ed7

SHA256
63e8197457e189557a8533cc4388b6a0cf5a036f7eafdfb7b82f689f89c3d3fe

SHA512
56d6eabd69825167705861cd86a84274f322d448440352c6280b9f67e2d13fa52aaf2580b397583b52573114425da3cfe070a3c02a01f031150b886929069027

Download Submit
C:\Recycled\SVCHOST.EXE
Filesize
42KB

MD5
ac6f308c2d70698187b0bc31912921d7

SHA1
4e9c232360c490d85eaa7784496752bb39e27ed7

SHA256
63e8197457e189557a8533cc4388b6a0cf5a036f7eafdfb7b82f689f89c3d3fe

SHA512
56d6eabd69825167705861cd86a84274f322d448440352c6280b9f67e2d13fa52aaf2580b397583b52573114425da3cfe070a3c02a01f031150b886929069027

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
Filesize
2KB

MD5
1a1dce35d60d2c70ca8894954fd5d384

SHA1
58547dd65d506c892290755010d0232da34ee000

SHA256
2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

SHA512
4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
Filesize
2KB

MD5
1a1dce35d60d2c70ca8894954fd5d384

SHA1
58547dd65d506c892290755010d0232da34ee000

SHA256
2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

SHA512
4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
Filesize
2KB

MD5
1a1dce35d60d2c70ca8894954fd5d384

SHA1
58547dd65d506c892290755010d0232da34ee000

SHA256
2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

SHA512
4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

Download Submit
C:\Windows\Fonts\ Explorer.exe
Filesize
42KB

MD5
cc343ce55a71aef870702feb2fe6e643

SHA1
aa4a2e3ed64a5ec8fbca102ed5cb814509d3003c

SHA256
496380aa525d8ee53fe3fd45fe34e714089acf3cbf6e2e33da810346f018c232

SHA512
90e3e99b4c75530ae1c9e2e2b3e9d773a6b749bf525bfb7e26fbd5b38e0ab5818f1e24b030a08815352578b87abfc8c96ee5ee97e4aa6856c18f0b8cb8b9ba3c

Download Submit
C:\Windows\Fonts\ Explorer.exe
Filesize
42KB

MD5
e5e370c67518e4263ca0a807cbfc87e5

SHA1
d36e234d7204fd8a3556a1bd341beecf3101a1cb

SHA256
efc4e177112ec18876ed54bf8593dc35a25679855fefd437814f6dd9d1d22cfa

SHA512
976f15b0bbcc6b8d00ac5e30e71e1fd4eda04c93639ad5e7d3809546f3e78696f6a58e1abc30e91526bf53a1a8dd32084ec2dabdea0bc025270a08a2630d8f35

Download Submit
C:\Windows\Fonts\ Explorer.exe
Filesize
42KB

MD5
e5e370c67518e4263ca0a807cbfc87e5

SHA1
d36e234d7204fd8a3556a1bd341beecf3101a1cb

SHA256
efc4e177112ec18876ed54bf8593dc35a25679855fefd437814f6dd9d1d22cfa

SHA512
976f15b0bbcc6b8d00ac5e30e71e1fd4eda04c93639ad5e7d3809546f3e78696f6a58e1abc30e91526bf53a1a8dd32084ec2dabdea0bc025270a08a2630d8f35

Download Submit
C:\recycled\CTFMON.EXE
Filesize
42KB

MD5
05ad0c5b4471dd12ddfb21dd3eb2e940

SHA1
0cc5d4d81e57824323849f483134eb7e0c62d084

SHA256
d0a82eb322ac8775c7055b326cb99ec27dd8d059dfa979ff3179ff577a8d4e4b

SHA512
86f7190d32ec5942890b7f4fb53dc9f0cafd54cb06caa025c12a35ebe7c0a9cbf6a44814e699ea1d194ca5068630ae1a2da3d8369dff5bccd1fa98d6ed5ebd18

Download Submit
C:\recycled\SPOOLSV.EXE
Filesize
42KB

MD5
95b2e36a2341e8f09e44a5fbe5515a24

SHA1
417368385b77da8c736a194464f2d63e4eaffe2d

SHA256
f5f978974f2ed85ef0191af19f563a9501b7857a017ffbc11c0cfe3f42b5e266

SHA512
68eec94e354ee555312fa328158b92589c871b7ab486277f2d81cfa45964ee4520116e457417c24197a16979693a2f486f1427ca5b3eb1781dc76c85be088eff

Download Submit
C:\recycled\SVCHOST.exe
Filesize
42KB

MD5
ac6f308c2d70698187b0bc31912921d7

SHA1
4e9c232360c490d85eaa7784496752bb39e27ed7

SHA256
63e8197457e189557a8533cc4388b6a0cf5a036f7eafdfb7b82f689f89c3d3fe

SHA512
56d6eabd69825167705861cd86a84274f322d448440352c6280b9f67e2d13fa52aaf2580b397583b52573114425da3cfe070a3c02a01f031150b886929069027

Download Submit
\Recycled\CTFMON.EXE
Filesize
42KB

MD5
05ad0c5b4471dd12ddfb21dd3eb2e940

SHA1
0cc5d4d81e57824323849f483134eb7e0c62d084

SHA256
d0a82eb322ac8775c7055b326cb99ec27dd8d059dfa979ff3179ff577a8d4e4b

SHA512
86f7190d32ec5942890b7f4fb53dc9f0cafd54cb06caa025c12a35ebe7c0a9cbf6a44814e699ea1d194ca5068630ae1a2da3d8369dff5bccd1fa98d6ed5ebd18

Download Submit
\Recycled\CTFMON.EXE
Filesize
42KB

MD5
05ad0c5b4471dd12ddfb21dd3eb2e940

SHA1
0cc5d4d81e57824323849f483134eb7e0c62d084

SHA256
d0a82eb322ac8775c7055b326cb99ec27dd8d059dfa979ff3179ff577a8d4e4b

SHA512
86f7190d32ec5942890b7f4fb53dc9f0cafd54cb06caa025c12a35ebe7c0a9cbf6a44814e699ea1d194ca5068630ae1a2da3d8369dff5bccd1fa98d6ed5ebd18

Download Submit
\Recycled\CTFMON.EXE
Filesize
42KB

MD5
05ad0c5b4471dd12ddfb21dd3eb2e940

SHA1
0cc5d4d81e57824323849f483134eb7e0c62d084

SHA256
d0a82eb322ac8775c7055b326cb99ec27dd8d059dfa979ff3179ff577a8d4e4b

SHA512
86f7190d32ec5942890b7f4fb53dc9f0cafd54cb06caa025c12a35ebe7c0a9cbf6a44814e699ea1d194ca5068630ae1a2da3d8369dff5bccd1fa98d6ed5ebd18

Download Submit
\Recycled\CTFMON.EXE
Filesize
42KB

MD5
05ad0c5b4471dd12ddfb21dd3eb2e940

SHA1
0cc5d4d81e57824323849f483134eb7e0c62d084

SHA256
d0a82eb322ac8775c7055b326cb99ec27dd8d059dfa979ff3179ff577a8d4e4b

SHA512
86f7190d32ec5942890b7f4fb53dc9f0cafd54cb06caa025c12a35ebe7c0a9cbf6a44814e699ea1d194ca5068630ae1a2da3d8369dff5bccd1fa98d6ed5ebd18

Download Submit
\Recycled\SPOOLSV.EXE
Filesize
42KB

MD5
95b2e36a2341e8f09e44a5fbe5515a24

SHA1
417368385b77da8c736a194464f2d63e4eaffe2d

SHA256
f5f978974f2ed85ef0191af19f563a9501b7857a017ffbc11c0cfe3f42b5e266

SHA512
68eec94e354ee555312fa328158b92589c871b7ab486277f2d81cfa45964ee4520116e457417c24197a16979693a2f486f1427ca5b3eb1781dc76c85be088eff

Download Submit
\Recycled\SPOOLSV.EXE
Filesize
42KB

MD5
95b2e36a2341e8f09e44a5fbe5515a24

SHA1
417368385b77da8c736a194464f2d63e4eaffe2d

SHA256
f5f978974f2ed85ef0191af19f563a9501b7857a017ffbc11c0cfe3f42b5e266

SHA512
68eec94e354ee555312fa328158b92589c871b7ab486277f2d81cfa45964ee4520116e457417c24197a16979693a2f486f1427ca5b3eb1781dc76c85be088eff

Download Submit
\Recycled\SPOOLSV.EXE
Filesize
42KB

MD5
95b2e36a2341e8f09e44a5fbe5515a24

SHA1
417368385b77da8c736a194464f2d63e4eaffe2d

SHA256
f5f978974f2ed85ef0191af19f563a9501b7857a017ffbc11c0cfe3f42b5e266

SHA512
68eec94e354ee555312fa328158b92589c871b7ab486277f2d81cfa45964ee4520116e457417c24197a16979693a2f486f1427ca5b3eb1781dc76c85be088eff

Download Submit
\Recycled\SPOOLSV.EXE
Filesize
42KB

MD5
95b2e36a2341e8f09e44a5fbe5515a24

SHA1
417368385b77da8c736a194464f2d63e4eaffe2d

SHA256
f5f978974f2ed85ef0191af19f563a9501b7857a017ffbc11c0cfe3f42b5e266

SHA512
68eec94e354ee555312fa328158b92589c871b7ab486277f2d81cfa45964ee4520116e457417c24197a16979693a2f486f1427ca5b3eb1781dc76c85be088eff

Download Submit
\Recycled\SPOOLSV.EXE
Filesize
42KB

MD5
95b2e36a2341e8f09e44a5fbe5515a24

SHA1
417368385b77da8c736a194464f2d63e4eaffe2d

SHA256
f5f978974f2ed85ef0191af19f563a9501b7857a017ffbc11c0cfe3f42b5e266

SHA512
68eec94e354ee555312fa328158b92589c871b7ab486277f2d81cfa45964ee4520116e457417c24197a16979693a2f486f1427ca5b3eb1781dc76c85be088eff

Download Submit
\Recycled\SPOOLSV.EXE
Filesize
42KB

MD5
95b2e36a2341e8f09e44a5fbe5515a24

SHA1
417368385b77da8c736a194464f2d63e4eaffe2d

SHA256
f5f978974f2ed85ef0191af19f563a9501b7857a017ffbc11c0cfe3f42b5e266

SHA512
68eec94e354ee555312fa328158b92589c871b7ab486277f2d81cfa45964ee4520116e457417c24197a16979693a2f486f1427ca5b3eb1781dc76c85be088eff

Download Submit
\Recycled\SPOOLSV.EXE
Filesize
42KB

MD5
95b2e36a2341e8f09e44a5fbe5515a24

SHA1
417368385b77da8c736a194464f2d63e4eaffe2d

SHA256
f5f978974f2ed85ef0191af19f563a9501b7857a017ffbc11c0cfe3f42b5e266

SHA512
68eec94e354ee555312fa328158b92589c871b7ab486277f2d81cfa45964ee4520116e457417c24197a16979693a2f486f1427ca5b3eb1781dc76c85be088eff

Download Submit
\Recycled\SVCHOST.EXE
Filesize
42KB

MD5
ac6f308c2d70698187b0bc31912921d7

SHA1
4e9c232360c490d85eaa7784496752bb39e27ed7

SHA256
63e8197457e189557a8533cc4388b6a0cf5a036f7eafdfb7b82f689f89c3d3fe

SHA512
56d6eabd69825167705861cd86a84274f322d448440352c6280b9f67e2d13fa52aaf2580b397583b52573114425da3cfe070a3c02a01f031150b886929069027

Download Submit
\Recycled\SVCHOST.EXE
Filesize
42KB

MD5
ac6f308c2d70698187b0bc31912921d7

SHA1
4e9c232360c490d85eaa7784496752bb39e27ed7

SHA256
63e8197457e189557a8533cc4388b6a0cf5a036f7eafdfb7b82f689f89c3d3fe

SHA512
56d6eabd69825167705861cd86a84274f322d448440352c6280b9f67e2d13fa52aaf2580b397583b52573114425da3cfe070a3c02a01f031150b886929069027

Download Submit
\Recycled\SVCHOST.EXE
Filesize
42KB

MD5
ac6f308c2d70698187b0bc31912921d7

SHA1
4e9c232360c490d85eaa7784496752bb39e27ed7

SHA256
63e8197457e189557a8533cc4388b6a0cf5a036f7eafdfb7b82f689f89c3d3fe

SHA512
56d6eabd69825167705861cd86a84274f322d448440352c6280b9f67e2d13fa52aaf2580b397583b52573114425da3cfe070a3c02a01f031150b886929069027

Download Submit
\Recycled\SVCHOST.EXE
Filesize
42KB

MD5
ac6f308c2d70698187b0bc31912921d7

SHA1
4e9c232360c490d85eaa7784496752bb39e27ed7

SHA256
63e8197457e189557a8533cc4388b6a0cf5a036f7eafdfb7b82f689f89c3d3fe

SHA512
56d6eabd69825167705861cd86a84274f322d448440352c6280b9f67e2d13fa52aaf2580b397583b52573114425da3cfe070a3c02a01f031150b886929069027

Download Submit
memory/332-75-0x0000000000000000-mapping.dmp

Download
memory/332-131-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/688-109-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/688-105-0x0000000000000000-mapping.dmp

Download
memory/784-136-0x0000000000000000-mapping.dmp

Download
memory/784-138-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/784-143-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/868-83-0x0000000000000000-mapping.dmp

Download
memory/868-87-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/892-117-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/892-112-0x0000000000000000-mapping.dmp

Download
memory/900-129-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/900-130-0x00000000025A0000-0x00000000025BA000-memory.dmp

Filesize
104KB

Download
memory/900-59-0x0000000000000000-mapping.dmp

Download
memory/900-158-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1076-71-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1076-67-0x0000000000000000-mapping.dmp

Download
memory/1268-123-0x0000000000000000-mapping.dmp

Download
memory/1268-133-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1276-132-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1276-159-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1276-97-0x0000000000000000-mapping.dmp

Download
memory/1412-142-0x0000000000000000-mapping.dmp

Download
memory/1412-147-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1552-149-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/1552-151-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1552-128-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/1552-56-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1552-126-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1552-148-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/1656-89-0x0000000000000000-mapping.dmp

Download
memory/1656-93-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1908-150-0x0000000000000000-mapping.dmp

Download
memory/1908-152-0x0000000072661000-0x0000000072664000-memory.dmp

Filesize
12KB

Download
memory/1908-153-0x00000000700E1000-0x00000000700E3000-memory.dmp

Filesize
8KB

Download
memory/1908-154-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1908-156-0x00000000710CD000-0x00000000710D8000-memory.dmp

Filesize
44KB

Download
memory/1908-157-0x00000000710CD000-0x00000000710D8000-memory.dmp

Filesize
44KB

Download
memory/1984-116-0x0000000000000000-mapping.dmp

Download
memory/1984-121-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads