b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204

Analysis

max time kernel
152s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 20:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
Size

89KB
MD5

58051b0e471a448665a7402f0f557783
SHA1

030a2478706cdb35ed8192e4aa38ec8ed4ec10f0
SHA256

b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204
SHA512

7bde5593d1bcf5c69ff1b36831e742239ce702d9e5154270b2ac10ef08a72091b83d27cd831e0fac25a58be09af7571b22aba60fe41c327aa0bb09b83bd43b5f
SSDEEP

1536:7keK40T/mx7y9v7Z/Z2V/GSAFRfBh7VoKO:AD40Dmx7y9DZ/Z2hGVaKO

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	CTFMON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	CTFMON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SPOOLSV.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	CTFMON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SPOOLSV.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	CTFMON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SPOOLSV.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE

Executes dropped EXE 15 IoCs

pid	Process
4400	SVCHOST.EXE
4912	SVCHOST.EXE
3348	SPOOLSV.EXE
4132	SVCHOST.EXE
1812	SPOOLSV.EXE
2980	CTFMON.EXE
1368	SVCHOST.EXE
3692	SPOOLSV.EXE
5016	CTFMON.EXE
268	CTFMON.EXE
3408	SPOOLSV.EXE
4720	CTFMON.EXE
5104	SVCHOST.EXE
3808	SPOOLSV.EXE
2208	CTFMON.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Recycled\desktop.ini	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\M:	SPOOLSV.EXE
File opened (read-only)	\??\N:	SPOOLSV.EXE
File opened (read-only)	\??\R:	SPOOLSV.EXE
File opened (read-only)	\??\O:	CTFMON.EXE
File opened (read-only)	\??\R:	CTFMON.EXE
File opened (read-only)	\??\Z:	CTFMON.EXE
File opened (read-only)	\??\I:	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
File opened (read-only)	\??\S:	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
File opened (read-only)	\??\I:	SVCHOST.EXE
File opened (read-only)	\??\N:	SVCHOST.EXE
File opened (read-only)	\??\K:	CTFMON.EXE
File opened (read-only)	\??\T:	CTFMON.EXE
File opened (read-only)	\??\H:	SVCHOST.EXE
File opened (read-only)	\??\V:	SVCHOST.EXE
File opened (read-only)	\??\J:	SPOOLSV.EXE
File opened (read-only)	\??\P:	SPOOLSV.EXE
File opened (read-only)	\??\W:	SPOOLSV.EXE
File opened (read-only)	\??\G:	CTFMON.EXE
File opened (read-only)	\??\L:	CTFMON.EXE
File opened (read-only)	\??\F:	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
File opened (read-only)	\??\M:	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
File opened (read-only)	\??\R:	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
File opened (read-only)	\??\T:	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
File opened (read-only)	\??\K:	SVCHOST.EXE
File opened (read-only)	\??\X:	SVCHOST.EXE
File opened (read-only)	\??\L:	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
File opened (read-only)	\??\Q:	SVCHOST.EXE
File opened (read-only)	\??\U:	SVCHOST.EXE
File opened (read-only)	\??\L:	SPOOLSV.EXE
File opened (read-only)	\??\Z:	SPOOLSV.EXE
File opened (read-only)	\??\E:	CTFMON.EXE
File opened (read-only)	\??\Y:	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
File opened (read-only)	\??\M:	SVCHOST.EXE
File opened (read-only)	\??\O:	SPOOLSV.EXE
File opened (read-only)	\??\U:	SPOOLSV.EXE
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\Y:	SVCHOST.EXE
File opened (read-only)	\??\Q:	CTFMON.EXE
File opened (read-only)	\??\W:	CTFMON.EXE
File opened (read-only)	\??\X:	CTFMON.EXE
File opened (read-only)	\??\H:	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
File opened (read-only)	\??\Z:	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
File opened (read-only)	\??\Z:	SVCHOST.EXE
File opened (read-only)	\??\H:	SPOOLSV.EXE
File opened (read-only)	\??\Q:	SPOOLSV.EXE
File opened (read-only)	\??\H:	CTFMON.EXE
File opened (read-only)	\??\I:	CTFMON.EXE
File opened (read-only)	\??\U:	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
File opened (read-only)	\??\L:	SVCHOST.EXE
File opened (read-only)	\??\N:	CTFMON.EXE
File opened (read-only)	\??\G:	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
File opened (read-only)	\??\N:	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
File opened (read-only)	\??\V:	CTFMON.EXE
File opened (read-only)	\??\E:	SVCHOST.EXE
File opened (read-only)	\??\V:	SPOOLSV.EXE
File opened (read-only)	\??\J:	CTFMON.EXE
File opened (read-only)	\??\U:	CTFMON.EXE
File opened (read-only)	\??\E:	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
File opened (read-only)	\??\O:	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
File opened (read-only)	\??\J:	SVCHOST.EXE
File opened (read-only)	\??\W:	SVCHOST.EXE
File opened (read-only)	\??\G:	SPOOLSV.EXE
File opened (read-only)	\??\X:	SPOOLSV.EXE

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\Root\VFS\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\docicon.exe	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 29 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG\COMMAND	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL\COMMAND	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\TileInfo = "prop:Type;Size"	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe"	CTFMON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	CTFMON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\TileInfo = "prop:Type;Size"	CTFMON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe"	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\QuickTip = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\TileInfo = "prop:Type;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\InfoTip = "prop:Type;Write;Size"	CTFMON.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\QuickTip = "prop:Type;Size"	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\InfoTip = "prop:Type;Write;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	CTFMON.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\InfoTip = "prop:Type;Write;Size"	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\QuickTip = "prop:Type;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\TileInfo = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\QuickTip = "prop:Type;Size"	CTFMON.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1548	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
2980	CTFMON.EXE
2980	CTFMON.EXE
3348	SPOOLSV.EXE
3348	SPOOLSV.EXE
2980	CTFMON.EXE
2980	CTFMON.EXE
3348	SPOOLSV.EXE
3348	SPOOLSV.EXE
3348	SPOOLSV.EXE
2980	CTFMON.EXE
3348	SPOOLSV.EXE
2980	CTFMON.EXE
3348	SPOOLSV.EXE
3348	SPOOLSV.EXE
2980	CTFMON.EXE
2980	CTFMON.EXE
3348	SPOOLSV.EXE
3348	SPOOLSV.EXE
2980	CTFMON.EXE
2980	CTFMON.EXE
3348	SPOOLSV.EXE
3348	SPOOLSV.EXE
2980	CTFMON.EXE
2980	CTFMON.EXE
3348	SPOOLSV.EXE
3348	SPOOLSV.EXE
2980	CTFMON.EXE
2980	CTFMON.EXE
3348	SPOOLSV.EXE
2980	CTFMON.EXE
2980	CTFMON.EXE
3348	SPOOLSV.EXE
2980	CTFMON.EXE
2980	CTFMON.EXE
3348	SPOOLSV.EXE
3348	SPOOLSV.EXE
2980	CTFMON.EXE
2980	CTFMON.EXE
3348	SPOOLSV.EXE
3348	SPOOLSV.EXE
2980	CTFMON.EXE
2980	CTFMON.EXE
3348	SPOOLSV.EXE
3348	SPOOLSV.EXE
2980	CTFMON.EXE
2980	CTFMON.EXE
3348	SPOOLSV.EXE
3348	SPOOLSV.EXE
4400	SVCHOST.EXE
4400	SVCHOST.EXE
4400	SVCHOST.EXE
4400	SVCHOST.EXE

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
4400	SVCHOST.EXE
4912	SVCHOST.EXE
3348	SPOOLSV.EXE
4132	SVCHOST.EXE
1812	SPOOLSV.EXE
2980	CTFMON.EXE
1368	SVCHOST.EXE
3692	SPOOLSV.EXE
5016	CTFMON.EXE
268	CTFMON.EXE
3408	SPOOLSV.EXE
4720	CTFMON.EXE
5104	SVCHOST.EXE
3808	SPOOLSV.EXE
2208	CTFMON.EXE
1548	WINWORD.EXE

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 4400	4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe	82
PID 4712 wrote to memory of 4400	4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe	82
PID 4712 wrote to memory of 4400	4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe	82
PID 4400 wrote to memory of 4912	4400	SVCHOST.EXE	84
PID 4400 wrote to memory of 4912	4400	SVCHOST.EXE	84
PID 4400 wrote to memory of 4912	4400	SVCHOST.EXE	84
PID 4400 wrote to memory of 3348	4400	SVCHOST.EXE	85
PID 4400 wrote to memory of 3348	4400	SVCHOST.EXE	85
PID 4400 wrote to memory of 3348	4400	SVCHOST.EXE	85
PID 3348 wrote to memory of 4132	3348	SPOOLSV.EXE	86
PID 3348 wrote to memory of 4132	3348	SPOOLSV.EXE	86
PID 3348 wrote to memory of 4132	3348	SPOOLSV.EXE	86
PID 3348 wrote to memory of 1812	3348	SPOOLSV.EXE	87
PID 3348 wrote to memory of 1812	3348	SPOOLSV.EXE	87
PID 3348 wrote to memory of 1812	3348	SPOOLSV.EXE	87
PID 3348 wrote to memory of 2980	3348	SPOOLSV.EXE	88
PID 3348 wrote to memory of 2980	3348	SPOOLSV.EXE	88
PID 3348 wrote to memory of 2980	3348	SPOOLSV.EXE	88
PID 2980 wrote to memory of 1368	2980	CTFMON.EXE	89
PID 2980 wrote to memory of 1368	2980	CTFMON.EXE	89
PID 2980 wrote to memory of 1368	2980	CTFMON.EXE	89
PID 2980 wrote to memory of 3692	2980	CTFMON.EXE	90
PID 2980 wrote to memory of 3692	2980	CTFMON.EXE	90
PID 2980 wrote to memory of 3692	2980	CTFMON.EXE	90
PID 2980 wrote to memory of 5016	2980	CTFMON.EXE	91
PID 2980 wrote to memory of 5016	2980	CTFMON.EXE	91
PID 2980 wrote to memory of 5016	2980	CTFMON.EXE	91
PID 4400 wrote to memory of 268	4400	SVCHOST.EXE	92
PID 4400 wrote to memory of 268	4400	SVCHOST.EXE	92
PID 4400 wrote to memory of 268	4400	SVCHOST.EXE	92
PID 4712 wrote to memory of 3408	4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe	93
PID 4712 wrote to memory of 3408	4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe	93
PID 4712 wrote to memory of 3408	4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe	93
PID 4400 wrote to memory of 3296	4400	SVCHOST.EXE	94
PID 4400 wrote to memory of 3296	4400	SVCHOST.EXE	94
PID 4400 wrote to memory of 3296	4400	SVCHOST.EXE	94
PID 4712 wrote to memory of 4720	4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe	95
PID 4712 wrote to memory of 4720	4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe	95
PID 4712 wrote to memory of 4720	4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe	95
PID 3296 wrote to memory of 4692	3296	userinit.exe	96
PID 3296 wrote to memory of 4692	3296	userinit.exe	96
PID 3296 wrote to memory of 4692	3296	userinit.exe	96
PID 4712 wrote to memory of 5104	4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe	97
PID 4712 wrote to memory of 5104	4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe	97
PID 4712 wrote to memory of 5104	4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe	97
PID 4712 wrote to memory of 3808	4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe	98
PID 4712 wrote to memory of 3808	4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe	98
PID 4712 wrote to memory of 3808	4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe	98
PID 4712 wrote to memory of 2208	4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe	100
PID 4712 wrote to memory of 2208	4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe	100
PID 4712 wrote to memory of 2208	4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe	100
PID 4712 wrote to memory of 1548	4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe	101
PID 4712 wrote to memory of 1548	4712	b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe	101

C:\Users\Admin\AppData\Local\Temp\b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe
"C:\Users\Admin\AppData\Local\Temp\b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4712
- C:\recycled\SVCHOST.EXE
  C:\recycled\SVCHOST.EXE :agent
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\recycled\SVCHOST.EXE
    C:\recycled\SVCHOST.EXE :agent
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4912
- - C:\recycled\SPOOLSV.EXE
    C:\recycled\SPOOLSV.EXE :agent
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Enumerates connected drives
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3348
  - - C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4132
  - - C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1812
  - - C:\recycled\CTFMON.EXE
      C:\recycled\CTFMON.EXE :agent
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Enumerates connected drives
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\recycled\SVCHOST.EXE
        
        C:\recycled\SVCHOST.EXE :agent
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1368
    - - C:\recycled\SPOOLSV.EXE
        
        C:\recycled\SPOOLSV.EXE :agent
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3692
    - - C:\recycled\CTFMON.EXE
        
        C:\recycled\CTFMON.EXE :agent
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5016
- - C:\recycled\CTFMON.EXE
    C:\recycled\CTFMON.EXE :agent
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:268
- - C:\Windows\SysWOW64\userinit.exe
    C:\Windows\system32\userinit.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3296
  - - C:\Windows\SysWOW64\Explorer.exe
      Explorer.exe "C:\recycled\SVCHOST.exe"
      4⤵
      PID:4692
- C:\recycled\SPOOLSV.EXE
  C:\recycled\SPOOLSV.EXE :agent
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3408
- C:\recycled\CTFMON.EXE
  C:\recycled\CTFMON.EXE :agent
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4720
- C:\recycled\SVCHOST.EXE
  C:\recycled\SVCHOST.EXE :agent
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5104
- C:\recycled\SPOOLSV.EXE
  C:\recycled\SPOOLSV.EXE :agent
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3808
- C:\recycled\CTFMON.EXE
  C:\recycled\CTFMON.EXE :agent
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2208
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b4f245ff07a85166016c6f4d465c7964904cf1efd1d15adb400d9009ad0c1204.doc" /o ""
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1548

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recycled\CTFMON.EXE

Filesize
89KB

MD5
ed11bce29b444708a974964be7449dac

SHA1
a863d5f0f8d7b2a09897c4f47afb851690d52591

SHA256
b930029b85000e3d9e273e03125a48f70b67585738fd90103867460cf9d083a8

SHA512
56972aaae4a7907a58d67f758175d4f5f669d46278eaccbedbb6aec071b38ae4e2ca2f59b800fd714bf0d0feec86d78cea7952cd1d8ae9d8abab5b6f6d9aed96

Download Submit
C:\Recycled\CTFMON.EXE

Filesize
89KB

MD5
ed11bce29b444708a974964be7449dac

SHA1
a863d5f0f8d7b2a09897c4f47afb851690d52591

SHA256
b930029b85000e3d9e273e03125a48f70b67585738fd90103867460cf9d083a8

SHA512
56972aaae4a7907a58d67f758175d4f5f669d46278eaccbedbb6aec071b38ae4e2ca2f59b800fd714bf0d0feec86d78cea7952cd1d8ae9d8abab5b6f6d9aed96

Download Submit
C:\Recycled\CTFMON.EXE

Filesize
89KB

MD5
ed11bce29b444708a974964be7449dac

SHA1
a863d5f0f8d7b2a09897c4f47afb851690d52591

SHA256
b930029b85000e3d9e273e03125a48f70b67585738fd90103867460cf9d083a8

SHA512
56972aaae4a7907a58d67f758175d4f5f669d46278eaccbedbb6aec071b38ae4e2ca2f59b800fd714bf0d0feec86d78cea7952cd1d8ae9d8abab5b6f6d9aed96

Download Submit
C:\Recycled\CTFMON.EXE

Filesize
89KB

MD5
ed11bce29b444708a974964be7449dac

SHA1
a863d5f0f8d7b2a09897c4f47afb851690d52591

SHA256
b930029b85000e3d9e273e03125a48f70b67585738fd90103867460cf9d083a8

SHA512
56972aaae4a7907a58d67f758175d4f5f669d46278eaccbedbb6aec071b38ae4e2ca2f59b800fd714bf0d0feec86d78cea7952cd1d8ae9d8abab5b6f6d9aed96

Download Submit
C:\Recycled\CTFMON.EXE

Filesize
89KB

MD5
ed11bce29b444708a974964be7449dac

SHA1
a863d5f0f8d7b2a09897c4f47afb851690d52591

SHA256
b930029b85000e3d9e273e03125a48f70b67585738fd90103867460cf9d083a8

SHA512
56972aaae4a7907a58d67f758175d4f5f669d46278eaccbedbb6aec071b38ae4e2ca2f59b800fd714bf0d0feec86d78cea7952cd1d8ae9d8abab5b6f6d9aed96

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
89KB

MD5
4c5e8385fd4f3690d48f065183fcb36e

SHA1
ad5bae59e7be26ac7c4e1a417d86c59d3f929012

SHA256
d0270dee8a7555a38aa3df0537ce4dec6abdced11e6b56a8e945aeda374b229f

SHA512
65861168518a0d65ab8653511df8e73eb8cb90798a3b671b771c3dfffd19ce74301b026bc1cac18386df3ca4da03e0cacc702e1b7765b0bfc61c77c4c774ad91

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
89KB

MD5
4c5e8385fd4f3690d48f065183fcb36e

SHA1
ad5bae59e7be26ac7c4e1a417d86c59d3f929012

SHA256
d0270dee8a7555a38aa3df0537ce4dec6abdced11e6b56a8e945aeda374b229f

SHA512
65861168518a0d65ab8653511df8e73eb8cb90798a3b671b771c3dfffd19ce74301b026bc1cac18386df3ca4da03e0cacc702e1b7765b0bfc61c77c4c774ad91

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
89KB

MD5
4c5e8385fd4f3690d48f065183fcb36e

SHA1
ad5bae59e7be26ac7c4e1a417d86c59d3f929012

SHA256
d0270dee8a7555a38aa3df0537ce4dec6abdced11e6b56a8e945aeda374b229f

SHA512
65861168518a0d65ab8653511df8e73eb8cb90798a3b671b771c3dfffd19ce74301b026bc1cac18386df3ca4da03e0cacc702e1b7765b0bfc61c77c4c774ad91

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
89KB

MD5
4c5e8385fd4f3690d48f065183fcb36e

SHA1
ad5bae59e7be26ac7c4e1a417d86c59d3f929012

SHA256
d0270dee8a7555a38aa3df0537ce4dec6abdced11e6b56a8e945aeda374b229f

SHA512
65861168518a0d65ab8653511df8e73eb8cb90798a3b671b771c3dfffd19ce74301b026bc1cac18386df3ca4da03e0cacc702e1b7765b0bfc61c77c4c774ad91

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
89KB

MD5
4c5e8385fd4f3690d48f065183fcb36e

SHA1
ad5bae59e7be26ac7c4e1a417d86c59d3f929012

SHA256
d0270dee8a7555a38aa3df0537ce4dec6abdced11e6b56a8e945aeda374b229f

SHA512
65861168518a0d65ab8653511df8e73eb8cb90798a3b671b771c3dfffd19ce74301b026bc1cac18386df3ca4da03e0cacc702e1b7765b0bfc61c77c4c774ad91

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
89KB

MD5
db780e7f00756de91ef6c8ace0ddc06f

SHA1
fcd0c4f435d62a38537033016f92c6382de38928

SHA256
af436dad95ff76d8fe99bb6ac5c2d507ca5609e4c653de8a3f48c9e20cdcb33d

SHA512
6b36c52f027f785e333998e9bda5418a01e0886a5ee21dd665a2328199bdd5d6ac03bc238f753ba03a9eedb6ac9ab8f75ec942f61009ea6e6f3c5ebaf0c0bfcb

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
89KB

MD5
db780e7f00756de91ef6c8ace0ddc06f

SHA1
fcd0c4f435d62a38537033016f92c6382de38928

SHA256
af436dad95ff76d8fe99bb6ac5c2d507ca5609e4c653de8a3f48c9e20cdcb33d

SHA512
6b36c52f027f785e333998e9bda5418a01e0886a5ee21dd665a2328199bdd5d6ac03bc238f753ba03a9eedb6ac9ab8f75ec942f61009ea6e6f3c5ebaf0c0bfcb

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
89KB

MD5
db780e7f00756de91ef6c8ace0ddc06f

SHA1
fcd0c4f435d62a38537033016f92c6382de38928

SHA256
af436dad95ff76d8fe99bb6ac5c2d507ca5609e4c653de8a3f48c9e20cdcb33d

SHA512
6b36c52f027f785e333998e9bda5418a01e0886a5ee21dd665a2328199bdd5d6ac03bc238f753ba03a9eedb6ac9ab8f75ec942f61009ea6e6f3c5ebaf0c0bfcb

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
89KB

MD5
db780e7f00756de91ef6c8ace0ddc06f

SHA1
fcd0c4f435d62a38537033016f92c6382de38928

SHA256
af436dad95ff76d8fe99bb6ac5c2d507ca5609e4c653de8a3f48c9e20cdcb33d

SHA512
6b36c52f027f785e333998e9bda5418a01e0886a5ee21dd665a2328199bdd5d6ac03bc238f753ba03a9eedb6ac9ab8f75ec942f61009ea6e6f3c5ebaf0c0bfcb

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
89KB

MD5
db780e7f00756de91ef6c8ace0ddc06f

SHA1
fcd0c4f435d62a38537033016f92c6382de38928

SHA256
af436dad95ff76d8fe99bb6ac5c2d507ca5609e4c653de8a3f48c9e20cdcb33d

SHA512
6b36c52f027f785e333998e9bda5418a01e0886a5ee21dd665a2328199bdd5d6ac03bc238f753ba03a9eedb6ac9ab8f75ec942f61009ea6e6f3c5ebaf0c0bfcb

Download Submit
C:\Recycled\desktop.ini

Filesize
65B

MD5
ad0b0b4416f06af436328a3c12dc491b

SHA1
743c7ad130780de78ccbf75aa6f84298720ad3fa

SHA256
23521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416

SHA512
884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
1KB

MD5
0269b6347e473980c5378044ac67aa1f

SHA1
c3334de50e320ad8bce8398acff95c363d039245

SHA256
68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

SHA512
e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
1KB

MD5
0269b6347e473980c5378044ac67aa1f

SHA1
c3334de50e320ad8bce8398acff95c363d039245

SHA256
68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

SHA512
e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
1KB

MD5
0269b6347e473980c5378044ac67aa1f

SHA1
c3334de50e320ad8bce8398acff95c363d039245

SHA256
68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

SHA512
e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

Download Submit
C:\begolu.txt

Filesize
2B

MD5
2b9d4fa85c8e82132bde46b143040142

SHA1
a02431cf7c501a5b368c91e41283419d8fa9fb03

SHA256
4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

SHA512
c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

Download Submit
C:\begolu.txt

Filesize
2B

MD5
2b9d4fa85c8e82132bde46b143040142

SHA1
a02431cf7c501a5b368c91e41283419d8fa9fb03

SHA256
4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

SHA512
c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

Download Submit
C:\begolu.txt

Filesize
2B

MD5
2b9d4fa85c8e82132bde46b143040142

SHA1
a02431cf7c501a5b368c91e41283419d8fa9fb03

SHA256
4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

SHA512
c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

Download Submit
C:\recycled\CTFMON.EXE

Filesize
89KB

MD5
ed11bce29b444708a974964be7449dac

SHA1
a863d5f0f8d7b2a09897c4f47afb851690d52591

SHA256
b930029b85000e3d9e273e03125a48f70b67585738fd90103867460cf9d083a8

SHA512
56972aaae4a7907a58d67f758175d4f5f669d46278eaccbedbb6aec071b38ae4e2ca2f59b800fd714bf0d0feec86d78cea7952cd1d8ae9d8abab5b6f6d9aed96

Download Submit
C:\recycled\SPOOLSV.EXE

Filesize
89KB

MD5
4c5e8385fd4f3690d48f065183fcb36e

SHA1
ad5bae59e7be26ac7c4e1a417d86c59d3f929012

SHA256
d0270dee8a7555a38aa3df0537ce4dec6abdced11e6b56a8e945aeda374b229f

SHA512
65861168518a0d65ab8653511df8e73eb8cb90798a3b671b771c3dfffd19ce74301b026bc1cac18386df3ca4da03e0cacc702e1b7765b0bfc61c77c4c774ad91

Download Submit
C:\recycled\SVCHOST.EXE

Filesize
89KB

MD5
db780e7f00756de91ef6c8ace0ddc06f

SHA1
fcd0c4f435d62a38537033016f92c6382de38928

SHA256
af436dad95ff76d8fe99bb6ac5c2d507ca5609e4c653de8a3f48c9e20cdcb33d

SHA512
6b36c52f027f785e333998e9bda5418a01e0886a5ee21dd665a2328199bdd5d6ac03bc238f753ba03a9eedb6ac9ab8f75ec942f61009ea6e6f3c5ebaf0c0bfcb

Download Submit
memory/268-192-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1368-176-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1548-234-0x00007FFE83C30000-0x00007FFE83C40000-memory.dmp

Filesize
64KB

Download
memory/1548-237-0x00007FFE83C30000-0x00007FFE83C40000-memory.dmp

Filesize
64KB

Download
memory/1548-239-0x00007FFE81370000-0x00007FFE81380000-memory.dmp

Filesize
64KB

Download
memory/1548-233-0x00007FFE83C30000-0x00007FFE83C40000-memory.dmp

Filesize
64KB

Download
memory/1548-235-0x00007FFE83C30000-0x00007FFE83C40000-memory.dmp

Filesize
64KB

Download
memory/1548-236-0x00007FFE83C30000-0x00007FFE83C40000-memory.dmp

Filesize
64KB

Download
memory/1548-238-0x00007FFE81370000-0x00007FFE81380000-memory.dmp

Filesize
64KB

Download
memory/1812-164-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1812-162-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2208-225-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2208-224-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2980-232-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2980-180-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3348-163-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3348-231-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3408-200-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3692-181-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3692-182-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3808-219-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4132-158-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4400-230-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4400-137-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4712-229-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4712-227-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4712-134-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4720-209-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4720-204-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4912-149-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4912-145-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5016-187-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5104-215-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download