Analysis
-
max time kernel
165s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 06:53
Behavioral task
behavioral1
Sample
c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
Resource
win10v2004-20220812-en
General
-
Target
c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe
-
Size
42KB
-
MD5
0190aa691ecb51be01cb7debbb4177be
-
SHA1
6850673e1d151c4d63b4a97eb1faa70d6cdbd3ba
-
SHA256
c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463
-
SHA512
3d975be4d16e1c154437e574058ad18f41b9e4115cd51d78a77e9a6f51bc2b466573a0bf3859304125dc35e0d4727c1378a3b9f27ce5756a2f8650724842559d
-
SSDEEP
768:gyz0/XBwayCUOwV3TNZHdrPeqzEWvpbPwSMX6+w6pqZxLdeVgol9D88888888885:hzOCay4wV339rPjzbpLwRJ9pSdoIs
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
Processes:
SPOOLSV.EXESVCHOST.EXEc577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exeCTFMON.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" CTFMON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" CTFMON.EXE -
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
Processes:
CTFMON.EXESPOOLSV.EXESVCHOST.EXEc577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" CTFMON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
Processes:
CTFMON.EXESPOOLSV.EXESVCHOST.EXEc577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" CTFMON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe -
Processes:
resource yara_rule C:\Recycled\SVCHOST.EXE aspack_v212_v242 C:\recycled\SVCHOST.EXE aspack_v212_v242 C:\Windows\Fonts\ Explorer.exe aspack_v212_v242 C:\Recycled\SVCHOST.EXE aspack_v212_v242 C:\Recycled\SPOOLSV.EXE aspack_v212_v242 C:\recycled\SPOOLSV.EXE aspack_v212_v242 C:\Windows\Fonts\ Explorer.exe aspack_v212_v242 C:\Recycled\SVCHOST.EXE aspack_v212_v242 C:\Recycled\SPOOLSV.EXE aspack_v212_v242 C:\Recycled\CTFMON.EXE aspack_v212_v242 C:\recycled\CTFMON.EXE aspack_v212_v242 C:\Windows\Fonts\ Explorer.exe aspack_v212_v242 C:\Recycled\SVCHOST.EXE aspack_v212_v242 C:\Recycled\SPOOLSV.EXE aspack_v212_v242 C:\Recycled\CTFMON.EXE aspack_v212_v242 C:\Recycled\CTFMON.EXE aspack_v212_v242 C:\Recycled\SPOOLSV.EXE aspack_v212_v242 C:\Recycled\CTFMON.EXE aspack_v212_v242 C:\Recycled\SVCHOST.EXE aspack_v212_v242 C:\Recycled\SPOOLSV.EXE aspack_v212_v242 C:\Recycled\CTFMON.EXE aspack_v212_v242 -
Executes dropped EXE 15 IoCs
Processes:
SVCHOST.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXECTFMON.EXESPOOLSV.EXECTFMON.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXEpid process 4304 SVCHOST.EXE 1836 SVCHOST.EXE 4476 SPOOLSV.EXE 4272 SVCHOST.EXE 3208 SPOOLSV.EXE 4868 CTFMON.EXE 4276 SVCHOST.EXE 4512 SPOOLSV.EXE 4376 CTFMON.EXE 3828 CTFMON.EXE 1928 SPOOLSV.EXE 3916 CTFMON.EXE 1052 SVCHOST.EXE 3264 SPOOLSV.EXE 212 CTFMON.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exedescription ioc process File opened for modification C:\Recycled\desktop.ini c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
CTFMON.EXEc577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exeSPOOLSV.EXESVCHOST.EXEdescription ioc process File opened (read-only) \??\G: CTFMON.EXE File opened (read-only) \??\I: CTFMON.EXE File opened (read-only) \??\M: CTFMON.EXE File opened (read-only) \??\P: CTFMON.EXE File opened (read-only) \??\R: c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe File opened (read-only) \??\H: SPOOLSV.EXE File opened (read-only) \??\F: CTFMON.EXE File opened (read-only) \??\Y: SVCHOST.EXE File opened (read-only) \??\E: SPOOLSV.EXE File opened (read-only) \??\O: SPOOLSV.EXE File opened (read-only) \??\Q: CTFMON.EXE File opened (read-only) \??\R: CTFMON.EXE File opened (read-only) \??\N: c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe File opened (read-only) \??\Q: c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe File opened (read-only) \??\Z: c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe File opened (read-only) \??\W: CTFMON.EXE File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\L: SPOOLSV.EXE File opened (read-only) \??\L: CTFMON.EXE File opened (read-only) \??\X: CTFMON.EXE File opened (read-only) \??\P: SVCHOST.EXE File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\T: CTFMON.EXE File opened (read-only) \??\J: SPOOLSV.EXE File opened (read-only) \??\H: CTFMON.EXE File opened (read-only) \??\M: SPOOLSV.EXE File opened (read-only) \??\P: SPOOLSV.EXE File opened (read-only) \??\R: SPOOLSV.EXE File opened (read-only) \??\U: SPOOLSV.EXE File opened (read-only) \??\V: SPOOLSV.EXE File opened (read-only) \??\G: c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe File opened (read-only) \??\U: c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe File opened (read-only) \??\X: c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe File opened (read-only) \??\S: CTFMON.EXE File opened (read-only) \??\Y: CTFMON.EXE File opened (read-only) \??\Z: CTFMON.EXE File opened (read-only) \??\X: SPOOLSV.EXE File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\W: SPOOLSV.EXE File opened (read-only) \??\S: c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe File opened (read-only) \??\I: SPOOLSV.EXE File opened (read-only) \??\E: CTFMON.EXE File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\N: SPOOLSV.EXE File opened (read-only) \??\Y: SPOOLSV.EXE File opened (read-only) \??\H: c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe File opened (read-only) \??\I: c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\Q: SVCHOST.EXE File opened (read-only) \??\F: SPOOLSV.EXE File opened (read-only) \??\F: c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe File opened (read-only) \??\O: c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\P: c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\S: SPOOLSV.EXE File opened (read-only) \??\V: CTFMON.EXE File opened (read-only) \??\J: c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe File opened (read-only) \??\K: c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe File opened (read-only) \??\M: c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe File opened (read-only) \??\U: CTFMON.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\Root\VFS\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\docicon.exe c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe -
Drops file in Windows directory 4 IoCs
Processes:
c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exeSVCHOST.EXESPOOLSV.EXECTFMON.EXEdescription ioc process File opened for modification C:\Windows\Fonts\ Explorer.exe c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe File opened for modification C:\Windows\Fonts\ Explorer.exe SVCHOST.EXE File opened for modification C:\Windows\Fonts\ Explorer.exe SPOOLSV.EXE File opened for modification C:\Windows\Fonts\ Explorer.exe CTFMON.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 29 IoCs
Processes:
c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exeSVCHOST.EXECTFMON.EXESPOOLSV.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\TileInfo = "prop:Type;Size" c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\InfoTip = "prop:Type;Write;Size" c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\TileInfo = "prop:Type;Size" CTFMON.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\QuickTip = "prop:Type;Size" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\InfoTip = "prop:Type;Write;Size" CTFMON.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG\COMMAND c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" CTFMON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\QuickTip = "prop:Type;Size" c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\TileInfo = "prop:Type;Size" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" CTFMON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ CTFMON.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL\COMMAND c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\QuickTip = "prop:Type;Size" CTFMON.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4196 WINWORD.EXE 4196 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exeSPOOLSV.EXESVCHOST.EXECTFMON.EXEpid process 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe 4476 SPOOLSV.EXE 4476 SPOOLSV.EXE 4476 SPOOLSV.EXE 4476 SPOOLSV.EXE 4476 SPOOLSV.EXE 4476 SPOOLSV.EXE 4476 SPOOLSV.EXE 4476 SPOOLSV.EXE 4476 SPOOLSV.EXE 4476 SPOOLSV.EXE 4476 SPOOLSV.EXE 4476 SPOOLSV.EXE 4304 SVCHOST.EXE 4304 SVCHOST.EXE 4304 SVCHOST.EXE 4304 SVCHOST.EXE 4304 SVCHOST.EXE 4304 SVCHOST.EXE 4304 SVCHOST.EXE 4304 SVCHOST.EXE 4304 SVCHOST.EXE 4304 SVCHOST.EXE 4304 SVCHOST.EXE 4304 SVCHOST.EXE 4868 CTFMON.EXE 4868 CTFMON.EXE 4868 CTFMON.EXE 4868 CTFMON.EXE 4868 CTFMON.EXE 4868 CTFMON.EXE 4868 CTFMON.EXE 4868 CTFMON.EXE 4868 CTFMON.EXE 4868 CTFMON.EXE 4868 CTFMON.EXE 4868 CTFMON.EXE 4476 SPOOLSV.EXE 4476 SPOOLSV.EXE 4476 SPOOLSV.EXE 4476 SPOOLSV.EXE 4476 SPOOLSV.EXE 4476 SPOOLSV.EXE 4476 SPOOLSV.EXE 4476 SPOOLSV.EXE 4476 SPOOLSV.EXE 4476 SPOOLSV.EXE 4476 SPOOLSV.EXE 4476 SPOOLSV.EXE 4304 SVCHOST.EXE 4304 SVCHOST.EXE 4304 SVCHOST.EXE 4304 SVCHOST.EXE -
Suspicious use of SetWindowsHookEx 24 IoCs
Processes:
c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exeSVCHOST.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXECTFMON.EXESPOOLSV.EXECTFMON.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXEWINWORD.EXEpid process 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe 4304 SVCHOST.EXE 1836 SVCHOST.EXE 4476 SPOOLSV.EXE 4272 SVCHOST.EXE 3208 SPOOLSV.EXE 4868 CTFMON.EXE 4276 SVCHOST.EXE 4512 SPOOLSV.EXE 4376 CTFMON.EXE 3828 CTFMON.EXE 1928 SPOOLSV.EXE 3916 CTFMON.EXE 1052 SVCHOST.EXE 3264 SPOOLSV.EXE 212 CTFMON.EXE 4196 WINWORD.EXE 4196 WINWORD.EXE 4196 WINWORD.EXE 4196 WINWORD.EXE 4196 WINWORD.EXE 4196 WINWORD.EXE 4196 WINWORD.EXE 4196 WINWORD.EXE -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exeSVCHOST.EXESPOOLSV.EXECTFMON.EXEdescription pid process target process PID 1828 wrote to memory of 4304 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe SVCHOST.EXE PID 1828 wrote to memory of 4304 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe SVCHOST.EXE PID 1828 wrote to memory of 4304 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe SVCHOST.EXE PID 4304 wrote to memory of 1836 4304 SVCHOST.EXE SVCHOST.EXE PID 4304 wrote to memory of 1836 4304 SVCHOST.EXE SVCHOST.EXE PID 4304 wrote to memory of 1836 4304 SVCHOST.EXE SVCHOST.EXE PID 4304 wrote to memory of 4476 4304 SVCHOST.EXE SPOOLSV.EXE PID 4304 wrote to memory of 4476 4304 SVCHOST.EXE SPOOLSV.EXE PID 4304 wrote to memory of 4476 4304 SVCHOST.EXE SPOOLSV.EXE PID 4476 wrote to memory of 4272 4476 SPOOLSV.EXE SVCHOST.EXE PID 4476 wrote to memory of 4272 4476 SPOOLSV.EXE SVCHOST.EXE PID 4476 wrote to memory of 4272 4476 SPOOLSV.EXE SVCHOST.EXE PID 4476 wrote to memory of 3208 4476 SPOOLSV.EXE SPOOLSV.EXE PID 4476 wrote to memory of 3208 4476 SPOOLSV.EXE SPOOLSV.EXE PID 4476 wrote to memory of 3208 4476 SPOOLSV.EXE SPOOLSV.EXE PID 4476 wrote to memory of 4868 4476 SPOOLSV.EXE CTFMON.EXE PID 4476 wrote to memory of 4868 4476 SPOOLSV.EXE CTFMON.EXE PID 4476 wrote to memory of 4868 4476 SPOOLSV.EXE CTFMON.EXE PID 4868 wrote to memory of 4276 4868 CTFMON.EXE SVCHOST.EXE PID 4868 wrote to memory of 4276 4868 CTFMON.EXE SVCHOST.EXE PID 4868 wrote to memory of 4276 4868 CTFMON.EXE SVCHOST.EXE PID 4868 wrote to memory of 4512 4868 CTFMON.EXE SPOOLSV.EXE PID 4868 wrote to memory of 4512 4868 CTFMON.EXE SPOOLSV.EXE PID 4868 wrote to memory of 4512 4868 CTFMON.EXE SPOOLSV.EXE PID 4868 wrote to memory of 4376 4868 CTFMON.EXE CTFMON.EXE PID 4868 wrote to memory of 4376 4868 CTFMON.EXE CTFMON.EXE PID 4868 wrote to memory of 4376 4868 CTFMON.EXE CTFMON.EXE PID 4304 wrote to memory of 3828 4304 SVCHOST.EXE CTFMON.EXE PID 4304 wrote to memory of 3828 4304 SVCHOST.EXE CTFMON.EXE PID 4304 wrote to memory of 3828 4304 SVCHOST.EXE CTFMON.EXE PID 1828 wrote to memory of 1928 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe SPOOLSV.EXE PID 1828 wrote to memory of 1928 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe SPOOLSV.EXE PID 1828 wrote to memory of 1928 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe SPOOLSV.EXE PID 1828 wrote to memory of 3916 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe CTFMON.EXE PID 1828 wrote to memory of 3916 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe CTFMON.EXE PID 1828 wrote to memory of 3916 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe CTFMON.EXE PID 1828 wrote to memory of 1052 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe SVCHOST.EXE PID 1828 wrote to memory of 1052 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe SVCHOST.EXE PID 1828 wrote to memory of 1052 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe SVCHOST.EXE PID 1828 wrote to memory of 3264 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe SPOOLSV.EXE PID 1828 wrote to memory of 3264 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe SPOOLSV.EXE PID 1828 wrote to memory of 3264 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe SPOOLSV.EXE PID 1828 wrote to memory of 212 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe CTFMON.EXE PID 1828 wrote to memory of 212 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe CTFMON.EXE PID 1828 wrote to memory of 212 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe CTFMON.EXE PID 1828 wrote to memory of 4196 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe WINWORD.EXE PID 1828 wrote to memory of 4196 1828 c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe"C:\Users\Admin\AppData\Local\Temp\c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c577649923bdabe3666fef4cc7c091da0ab618723d1a842f943195c60a603463.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recycled\CTFMON.EXEFilesize
42KB
MD52f768695be00af96295471a8e891d15b
SHA19a1ad8ded7637b9d815086732d9406e6259dca56
SHA256c8e6653b4264927151521a00a337e6ec2a9008f400b93e027f000efb68daacaa
SHA512f16d4d80f92298846d8ccef8446fe8a61fc503209f73c43ee259c7471d469302771af051a95994d77bdb62fba2b5aa3018b53f42a28e31107018d14806d6e660
-
C:\Recycled\CTFMON.EXEFilesize
42KB
MD52f768695be00af96295471a8e891d15b
SHA19a1ad8ded7637b9d815086732d9406e6259dca56
SHA256c8e6653b4264927151521a00a337e6ec2a9008f400b93e027f000efb68daacaa
SHA512f16d4d80f92298846d8ccef8446fe8a61fc503209f73c43ee259c7471d469302771af051a95994d77bdb62fba2b5aa3018b53f42a28e31107018d14806d6e660
-
C:\Recycled\CTFMON.EXEFilesize
42KB
MD52f768695be00af96295471a8e891d15b
SHA19a1ad8ded7637b9d815086732d9406e6259dca56
SHA256c8e6653b4264927151521a00a337e6ec2a9008f400b93e027f000efb68daacaa
SHA512f16d4d80f92298846d8ccef8446fe8a61fc503209f73c43ee259c7471d469302771af051a95994d77bdb62fba2b5aa3018b53f42a28e31107018d14806d6e660
-
C:\Recycled\CTFMON.EXEFilesize
42KB
MD52f768695be00af96295471a8e891d15b
SHA19a1ad8ded7637b9d815086732d9406e6259dca56
SHA256c8e6653b4264927151521a00a337e6ec2a9008f400b93e027f000efb68daacaa
SHA512f16d4d80f92298846d8ccef8446fe8a61fc503209f73c43ee259c7471d469302771af051a95994d77bdb62fba2b5aa3018b53f42a28e31107018d14806d6e660
-
C:\Recycled\CTFMON.EXEFilesize
42KB
MD52f768695be00af96295471a8e891d15b
SHA19a1ad8ded7637b9d815086732d9406e6259dca56
SHA256c8e6653b4264927151521a00a337e6ec2a9008f400b93e027f000efb68daacaa
SHA512f16d4d80f92298846d8ccef8446fe8a61fc503209f73c43ee259c7471d469302771af051a95994d77bdb62fba2b5aa3018b53f42a28e31107018d14806d6e660
-
C:\Recycled\SPOOLSV.EXEFilesize
42KB
MD5f4d0c1ae92b0a41b6e880795f91e0d7d
SHA15b1491e33de94eff067fb9338efa7eaa61296e9d
SHA256c07897f1b348a39be3fb84586c778dc3cf0fbbf07e1e753dc97542a8dbf38199
SHA512208f7489be9560279557a45273cb0af9930701bd66c43759d0f009cdc07f67457db07c3a18d026210c73faf510c332b960dd8ac7ae27d43b3fb23ed65651a7a5
-
C:\Recycled\SPOOLSV.EXEFilesize
42KB
MD5f4d0c1ae92b0a41b6e880795f91e0d7d
SHA15b1491e33de94eff067fb9338efa7eaa61296e9d
SHA256c07897f1b348a39be3fb84586c778dc3cf0fbbf07e1e753dc97542a8dbf38199
SHA512208f7489be9560279557a45273cb0af9930701bd66c43759d0f009cdc07f67457db07c3a18d026210c73faf510c332b960dd8ac7ae27d43b3fb23ed65651a7a5
-
C:\Recycled\SPOOLSV.EXEFilesize
42KB
MD5f4d0c1ae92b0a41b6e880795f91e0d7d
SHA15b1491e33de94eff067fb9338efa7eaa61296e9d
SHA256c07897f1b348a39be3fb84586c778dc3cf0fbbf07e1e753dc97542a8dbf38199
SHA512208f7489be9560279557a45273cb0af9930701bd66c43759d0f009cdc07f67457db07c3a18d026210c73faf510c332b960dd8ac7ae27d43b3fb23ed65651a7a5
-
C:\Recycled\SPOOLSV.EXEFilesize
42KB
MD5f4d0c1ae92b0a41b6e880795f91e0d7d
SHA15b1491e33de94eff067fb9338efa7eaa61296e9d
SHA256c07897f1b348a39be3fb84586c778dc3cf0fbbf07e1e753dc97542a8dbf38199
SHA512208f7489be9560279557a45273cb0af9930701bd66c43759d0f009cdc07f67457db07c3a18d026210c73faf510c332b960dd8ac7ae27d43b3fb23ed65651a7a5
-
C:\Recycled\SPOOLSV.EXEFilesize
42KB
MD5f4d0c1ae92b0a41b6e880795f91e0d7d
SHA15b1491e33de94eff067fb9338efa7eaa61296e9d
SHA256c07897f1b348a39be3fb84586c778dc3cf0fbbf07e1e753dc97542a8dbf38199
SHA512208f7489be9560279557a45273cb0af9930701bd66c43759d0f009cdc07f67457db07c3a18d026210c73faf510c332b960dd8ac7ae27d43b3fb23ed65651a7a5
-
C:\Recycled\SVCHOST.EXEFilesize
42KB
MD51a753d5711dfbfe64863942e290e2c37
SHA1b0ec0f7a2ddaa7bfa977c65a316e395c41bd6ec0
SHA256a713f002962553a252f649de6e3e1afa3777ebd9a120fd352a10b8242e504f83
SHA512f599bd870272a1a7f62b213e9ca875e44d0f7a8871feed4a577b2ce933ef8f362e21e045924f00e7310507b2095e2f8ec2b4bb0fdcb624680fcbbf18ed522e06
-
C:\Recycled\SVCHOST.EXEFilesize
42KB
MD51a753d5711dfbfe64863942e290e2c37
SHA1b0ec0f7a2ddaa7bfa977c65a316e395c41bd6ec0
SHA256a713f002962553a252f649de6e3e1afa3777ebd9a120fd352a10b8242e504f83
SHA512f599bd870272a1a7f62b213e9ca875e44d0f7a8871feed4a577b2ce933ef8f362e21e045924f00e7310507b2095e2f8ec2b4bb0fdcb624680fcbbf18ed522e06
-
C:\Recycled\SVCHOST.EXEFilesize
42KB
MD51a753d5711dfbfe64863942e290e2c37
SHA1b0ec0f7a2ddaa7bfa977c65a316e395c41bd6ec0
SHA256a713f002962553a252f649de6e3e1afa3777ebd9a120fd352a10b8242e504f83
SHA512f599bd870272a1a7f62b213e9ca875e44d0f7a8871feed4a577b2ce933ef8f362e21e045924f00e7310507b2095e2f8ec2b4bb0fdcb624680fcbbf18ed522e06
-
C:\Recycled\SVCHOST.EXEFilesize
42KB
MD51a753d5711dfbfe64863942e290e2c37
SHA1b0ec0f7a2ddaa7bfa977c65a316e395c41bd6ec0
SHA256a713f002962553a252f649de6e3e1afa3777ebd9a120fd352a10b8242e504f83
SHA512f599bd870272a1a7f62b213e9ca875e44d0f7a8871feed4a577b2ce933ef8f362e21e045924f00e7310507b2095e2f8ec2b4bb0fdcb624680fcbbf18ed522e06
-
C:\Recycled\SVCHOST.EXEFilesize
42KB
MD51a753d5711dfbfe64863942e290e2c37
SHA1b0ec0f7a2ddaa7bfa977c65a316e395c41bd6ec0
SHA256a713f002962553a252f649de6e3e1afa3777ebd9a120fd352a10b8242e504f83
SHA512f599bd870272a1a7f62b213e9ca875e44d0f7a8871feed4a577b2ce933ef8f362e21e045924f00e7310507b2095e2f8ec2b4bb0fdcb624680fcbbf18ed522e06
-
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txtFilesize
2KB
MD51a1dce35d60d2c70ca8894954fd5d384
SHA158547dd65d506c892290755010d0232da34ee000
SHA2562661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c
SHA5124abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e
-
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txtFilesize
2KB
MD51a1dce35d60d2c70ca8894954fd5d384
SHA158547dd65d506c892290755010d0232da34ee000
SHA2562661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c
SHA5124abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e
-
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txtFilesize
2KB
MD51a1dce35d60d2c70ca8894954fd5d384
SHA158547dd65d506c892290755010d0232da34ee000
SHA2562661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c
SHA5124abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e
-
C:\Windows\Fonts\ Explorer.exeFilesize
42KB
MD50d2d62cb06c8b1d1db8a31f9ca4d58bc
SHA149be69548e7021648d0675c17999f61fc5323af0
SHA2566a4e89f24ceb56eef8fd89bfc968af5533ea57cca4fa87ea703d3a84c6d19237
SHA5123bb1d6d6f610010610d1d5e434e4ff5ea00af53ecbd44929e662f427abd452023ef181fa154630d500606993b23fe36c3a4611fa6acf49b105cff86cef3f6965
-
C:\Windows\Fonts\ Explorer.exeFilesize
42KB
MD55962ba1e4be4c01eaae8af3e40a06e59
SHA175d4f5aef873cde65309c044f69e69088b8a63f9
SHA2561e4c6d7f24374ccc35e83f30c9eb5b2fe05e0d0fb835b083734c51a79bf85aa1
SHA51293c7991bd71cf0c3e50068cac84c5c96bca27c486c083514b06d9a055d6d71f944b8e63be9e5e552e126e4a8521fdd478716997d764dd5714bc5f6291bab7c4d
-
C:\Windows\Fonts\ Explorer.exeFilesize
42KB
MD55962ba1e4be4c01eaae8af3e40a06e59
SHA175d4f5aef873cde65309c044f69e69088b8a63f9
SHA2561e4c6d7f24374ccc35e83f30c9eb5b2fe05e0d0fb835b083734c51a79bf85aa1
SHA51293c7991bd71cf0c3e50068cac84c5c96bca27c486c083514b06d9a055d6d71f944b8e63be9e5e552e126e4a8521fdd478716997d764dd5714bc5f6291bab7c4d
-
C:\recycled\CTFMON.EXEFilesize
42KB
MD52f768695be00af96295471a8e891d15b
SHA19a1ad8ded7637b9d815086732d9406e6259dca56
SHA256c8e6653b4264927151521a00a337e6ec2a9008f400b93e027f000efb68daacaa
SHA512f16d4d80f92298846d8ccef8446fe8a61fc503209f73c43ee259c7471d469302771af051a95994d77bdb62fba2b5aa3018b53f42a28e31107018d14806d6e660
-
C:\recycled\SPOOLSV.EXEFilesize
42KB
MD5f4d0c1ae92b0a41b6e880795f91e0d7d
SHA15b1491e33de94eff067fb9338efa7eaa61296e9d
SHA256c07897f1b348a39be3fb84586c778dc3cf0fbbf07e1e753dc97542a8dbf38199
SHA512208f7489be9560279557a45273cb0af9930701bd66c43759d0f009cdc07f67457db07c3a18d026210c73faf510c332b960dd8ac7ae27d43b3fb23ed65651a7a5
-
C:\recycled\SVCHOST.EXEFilesize
42KB
MD51a753d5711dfbfe64863942e290e2c37
SHA1b0ec0f7a2ddaa7bfa977c65a316e395c41bd6ec0
SHA256a713f002962553a252f649de6e3e1afa3777ebd9a120fd352a10b8242e504f83
SHA512f599bd870272a1a7f62b213e9ca875e44d0f7a8871feed4a577b2ce933ef8f362e21e045924f00e7310507b2095e2f8ec2b4bb0fdcb624680fcbbf18ed522e06
-
memory/212-218-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/212-214-0x0000000000000000-mapping.dmp
-
memory/1052-203-0x0000000000000000-mapping.dmp
-
memory/1052-209-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1828-134-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1828-220-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1836-142-0x0000000000000000-mapping.dmp
-
memory/1836-146-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1928-198-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1928-193-0x0000000000000000-mapping.dmp
-
memory/3208-158-0x0000000000000000-mapping.dmp
-
memory/3208-163-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3264-208-0x0000000000000000-mapping.dmp
-
memory/3264-213-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3828-188-0x0000000000000000-mapping.dmp
-
memory/3828-192-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3916-204-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3916-197-0x0000000000000000-mapping.dmp
-
memory/4196-224-0x00007FF811CF0000-0x00007FF811D00000-memory.dmpFilesize
64KB
-
memory/4196-225-0x00007FF811CF0000-0x00007FF811D00000-memory.dmpFilesize
64KB
-
memory/4196-223-0x00007FF811CF0000-0x00007FF811D00000-memory.dmpFilesize
64KB
-
memory/4196-222-0x00007FF811CF0000-0x00007FF811D00000-memory.dmpFilesize
64KB
-
memory/4196-221-0x00007FF811CF0000-0x00007FF811D00000-memory.dmpFilesize
64KB
-
memory/4196-226-0x00007FF80F3E0000-0x00007FF80F3F0000-memory.dmpFilesize
64KB
-
memory/4196-219-0x0000000000000000-mapping.dmp
-
memory/4196-227-0x00007FF80F3E0000-0x00007FF80F3F0000-memory.dmpFilesize
64KB
-
memory/4272-154-0x0000000000000000-mapping.dmp
-
memory/4272-160-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4276-171-0x0000000000000000-mapping.dmp
-
memory/4276-177-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4304-137-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4304-135-0x0000000000000000-mapping.dmp
-
memory/4304-228-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4376-187-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4376-180-0x0000000000000000-mapping.dmp
-
memory/4476-229-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4476-147-0x0000000000000000-mapping.dmp
-
memory/4476-185-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4512-181-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4512-175-0x0000000000000000-mapping.dmp
-
memory/4868-186-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4868-230-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4868-164-0x0000000000000000-mapping.dmp