3a39886474d1c20035b6d6ff316ba949476e6da90092be550b500eed0aed6823

Analysis

max time kernel
148s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 16:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0706b35653551f23f4a80a3e4ff51b1b.exe
Size

45KB
MD5

0706b35653551f23f4a80a3e4ff51b1b
SHA1

d40e6b9346cf1758a0c8ef7c30f8ba1b9cc016aa
SHA256

3a39886474d1c20035b6d6ff316ba949476e6da90092be550b500eed0aed6823
SHA512

6a412a5e73f9b6f4bc4d32089d42a37c99d16e072959db8580fdcd7dbc9c8600dcc2aba1ab17983fd0e3480b4386aade84926a915b43a5472f84149a388ebc90
SSDEEP

768:E1AuwHyeFo6NPIFAoslbf8eRYLGXdoIFbb5omuKWcbsvwnoT9D88888888888JXi:EOxyeFo6NPCAosxYyXdF5oy3VoKi

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	0706b35653551f23f4a80a3e4ff51b1b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	0706b35653551f23f4a80a3e4ff51b1b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SVCHOST.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	0706b35653551f23f4a80a3e4ff51b1b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SPOOLSV.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0706b35653551f23f4a80a3e4ff51b1b.exe

Executes dropped EXE 12 IoCs

pid	Process
2796	SVCHOST.EXE
2824	SVCHOST.EXE
2764	SVCHOST.EXE
2644	SVCHOST.EXE
2696	SVCHOST.EXE
2720	SPOOLSV.EXE
2728	SVCHOST.EXE
2400	SVCHOST.EXE
1788	SPOOLSV.EXE
2660	SPOOLSV.EXE
2328	SVCHOST.EXE
1700	SPOOLSV.EXE

Loads dropped DLL 20 IoCs

pid	Process
2688	0706b35653551f23f4a80a3e4ff51b1b.exe
2688	0706b35653551f23f4a80a3e4ff51b1b.exe
2796	SVCHOST.EXE
2796	SVCHOST.EXE
2796	SVCHOST.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE
2796	SVCHOST.EXE
2796	SVCHOST.EXE
2688	0706b35653551f23f4a80a3e4ff51b1b.exe
2688	0706b35653551f23f4a80a3e4ff51b1b.exe
2688	0706b35653551f23f4a80a3e4ff51b1b.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Recycled\desktop.ini	0706b35653551f23f4a80a3e4ff51b1b.exe
File opened for modification	F:\Recycled\desktop.ini	0706b35653551f23f4a80a3e4ff51b1b.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	SPOOLSV.EXE
File opened (read-only)	\??\T:	SPOOLSV.EXE
File opened (read-only)	\??\W:	SPOOLSV.EXE
File opened (read-only)	\??\Y:	SPOOLSV.EXE
File opened (read-only)	\??\U:	0706b35653551f23f4a80a3e4ff51b1b.exe
File opened (read-only)	\??\Q:	SVCHOST.EXE
File opened (read-only)	\??\T:	SVCHOST.EXE
File opened (read-only)	\??\X:	SVCHOST.EXE
File opened (read-only)	\??\U:	SVCHOST.EXE
File opened (read-only)	\??\W:	SVCHOST.EXE
File opened (read-only)	\??\X:	SVCHOST.EXE
File opened (read-only)	\??\G:	SPOOLSV.EXE
File opened (read-only)	\??\J:	0706b35653551f23f4a80a3e4ff51b1b.exe
File opened (read-only)	\??\K:	SVCHOST.EXE
File opened (read-only)	\??\L:	SVCHOST.EXE
File opened (read-only)	\??\E:	SVCHOST.EXE
File opened (read-only)	\??\V:	SPOOLSV.EXE
File opened (read-only)	\??\L:	SPOOLSV.EXE
File opened (read-only)	\??\N:	SPOOLSV.EXE
File opened (read-only)	\??\K:	0706b35653551f23f4a80a3e4ff51b1b.exe
File opened (read-only)	\??\R:	0706b35653551f23f4a80a3e4ff51b1b.exe
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\N:	SVCHOST.EXE
File opened (read-only)	\??\T:	0706b35653551f23f4a80a3e4ff51b1b.exe
File opened (read-only)	\??\I:	SVCHOST.EXE
File opened (read-only)	\??\L:	SVCHOST.EXE
File opened (read-only)	\??\M:	SVCHOST.EXE
File opened (read-only)	\??\E:	SPOOLSV.EXE
File opened (read-only)	\??\R:	SPOOLSV.EXE
File opened (read-only)	\??\U:	SPOOLSV.EXE
File opened (read-only)	\??\M:	0706b35653551f23f4a80a3e4ff51b1b.exe
File opened (read-only)	\??\U:	SVCHOST.EXE
File opened (read-only)	\??\J:	SVCHOST.EXE
File opened (read-only)	\??\K:	SVCHOST.EXE
File opened (read-only)	\??\Z:	SPOOLSV.EXE
File opened (read-only)	\??\L:	0706b35653551f23f4a80a3e4ff51b1b.exe
File opened (read-only)	\??\Z:	SVCHOST.EXE
File opened (read-only)	\??\V:	SVCHOST.EXE
File opened (read-only)	\??\Q:	SPOOLSV.EXE
File opened (read-only)	\??\Q:	0706b35653551f23f4a80a3e4ff51b1b.exe
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\S:	SVCHOST.EXE
File opened (read-only)	\??\J:	SPOOLSV.EXE
File opened (read-only)	\??\N:	0706b35653551f23f4a80a3e4ff51b1b.exe
File opened (read-only)	\??\X:	0706b35653551f23f4a80a3e4ff51b1b.exe
File opened (read-only)	\??\H:	SPOOLSV.EXE
File opened (read-only)	\??\I:	SVCHOST.EXE
File opened (read-only)	\??\O:	SVCHOST.EXE
File opened (read-only)	\??\X:	SPOOLSV.EXE
File opened (read-only)	\??\N:	SVCHOST.EXE
File opened (read-only)	\??\V:	SVCHOST.EXE
File opened (read-only)	\??\W:	SVCHOST.EXE
File opened (read-only)	\??\H:	SVCHOST.EXE
File opened (read-only)	\??\S:	SPOOLSV.EXE
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\R:	SVCHOST.EXE
File opened (read-only)	\??\S:	SVCHOST.EXE
File opened (read-only)	\??\I:	SPOOLSV.EXE
File opened (read-only)	\??\S:	0706b35653551f23f4a80a3e4ff51b1b.exe
File opened (read-only)	\??\V:	0706b35653551f23f4a80a3e4ff51b1b.exe
File opened (read-only)	\??\W:	0706b35653551f23f4a80a3e4ff51b1b.exe
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\T:	SVCHOST.EXE
File opened (read-only)	\??\I:	0706b35653551f23f4a80a3e4ff51b1b.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe	0706b35653551f23f4a80a3e4ff51b1b.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SPOOLSV.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SPOOLSV.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	0706b35653551f23f4a80a3e4ff51b1b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	0706b35653551f23f4a80a3e4ff51b1b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SVCHOST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG\COMMAND	0706b35653551f23f4a80a3e4ff51b1b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SPOOLSV.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	0706b35653551f23f4a80a3e4ff51b1b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG	0706b35653551f23f4a80a3e4ff51b1b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SPOOLSV.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
844	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2796	SVCHOST.EXE
2796	SVCHOST.EXE
2796	SVCHOST.EXE
2796	SVCHOST.EXE
2796	SVCHOST.EXE
2796	SVCHOST.EXE
2796	SVCHOST.EXE
2796	SVCHOST.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2764	SVCHOST.EXE
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE
2720	SPOOLSV.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2688	0706b35653551f23f4a80a3e4ff51b1b.exe
2796	SVCHOST.EXE
2824	SVCHOST.EXE
2764	SVCHOST.EXE
2644	SVCHOST.EXE
2696	SVCHOST.EXE
2720	SPOOLSV.EXE
2728	SVCHOST.EXE
2400	SVCHOST.EXE
1788	SPOOLSV.EXE
2660	SPOOLSV.EXE
2328	SVCHOST.EXE
1700	SPOOLSV.EXE
844	WINWORD.EXE
844	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2796	2688	0706b35653551f23f4a80a3e4ff51b1b.exe	27
PID 2688 wrote to memory of 2796	2688	0706b35653551f23f4a80a3e4ff51b1b.exe	27
PID 2688 wrote to memory of 2796	2688	0706b35653551f23f4a80a3e4ff51b1b.exe	27
PID 2688 wrote to memory of 2796	2688	0706b35653551f23f4a80a3e4ff51b1b.exe	27
PID 2796 wrote to memory of 2824	2796	SVCHOST.EXE	26
PID 2796 wrote to memory of 2824	2796	SVCHOST.EXE	26
PID 2796 wrote to memory of 2824	2796	SVCHOST.EXE	26
PID 2796 wrote to memory of 2824	2796	SVCHOST.EXE	26
PID 2796 wrote to memory of 2764	2796	SVCHOST.EXE	25
PID 2796 wrote to memory of 2764	2796	SVCHOST.EXE	25
PID 2796 wrote to memory of 2764	2796	SVCHOST.EXE	25
PID 2796 wrote to memory of 2764	2796	SVCHOST.EXE	25
PID 2764 wrote to memory of 2644	2764	SVCHOST.EXE	24
PID 2764 wrote to memory of 2644	2764	SVCHOST.EXE	24
PID 2764 wrote to memory of 2644	2764	SVCHOST.EXE	24
PID 2764 wrote to memory of 2644	2764	SVCHOST.EXE	24
PID 2764 wrote to memory of 2696	2764	SVCHOST.EXE	23
PID 2764 wrote to memory of 2696	2764	SVCHOST.EXE	23
PID 2764 wrote to memory of 2696	2764	SVCHOST.EXE	23
PID 2764 wrote to memory of 2696	2764	SVCHOST.EXE	23
PID 2764 wrote to memory of 2720	2764	SVCHOST.EXE	22
PID 2764 wrote to memory of 2720	2764	SVCHOST.EXE	22
PID 2764 wrote to memory of 2720	2764	SVCHOST.EXE	22
PID 2764 wrote to memory of 2720	2764	SVCHOST.EXE	22
PID 2720 wrote to memory of 2728	2720	SPOOLSV.EXE	21
PID 2720 wrote to memory of 2728	2720	SPOOLSV.EXE	21
PID 2720 wrote to memory of 2728	2720	SPOOLSV.EXE	21
PID 2720 wrote to memory of 2728	2720	SPOOLSV.EXE	21
PID 2720 wrote to memory of 2400	2720	SPOOLSV.EXE	20
PID 2720 wrote to memory of 2400	2720	SPOOLSV.EXE	20
PID 2720 wrote to memory of 2400	2720	SPOOLSV.EXE	20
PID 2720 wrote to memory of 2400	2720	SPOOLSV.EXE	20
PID 2720 wrote to memory of 1788	2720	SPOOLSV.EXE	19
PID 2720 wrote to memory of 1788	2720	SPOOLSV.EXE	19
PID 2720 wrote to memory of 1788	2720	SPOOLSV.EXE	19
PID 2720 wrote to memory of 1788	2720	SPOOLSV.EXE	19
PID 2796 wrote to memory of 2660	2796	SVCHOST.EXE	18
PID 2796 wrote to memory of 2660	2796	SVCHOST.EXE	18
PID 2796 wrote to memory of 2660	2796	SVCHOST.EXE	18
PID 2796 wrote to memory of 2660	2796	SVCHOST.EXE	18
PID 2796 wrote to memory of 2788	2796	SVCHOST.EXE	15
PID 2796 wrote to memory of 2788	2796	SVCHOST.EXE	15
PID 2796 wrote to memory of 2788	2796	SVCHOST.EXE	15
PID 2796 wrote to memory of 2788	2796	SVCHOST.EXE	15
PID 2788 wrote to memory of 2916	2788	userinit.exe	16
PID 2788 wrote to memory of 2916	2788	userinit.exe	16
PID 2788 wrote to memory of 2916	2788	userinit.exe	16
PID 2788 wrote to memory of 2916	2788	userinit.exe	16
PID 2688 wrote to memory of 2328	2688	0706b35653551f23f4a80a3e4ff51b1b.exe	45
PID 2688 wrote to memory of 2328	2688	0706b35653551f23f4a80a3e4ff51b1b.exe	45
PID 2688 wrote to memory of 2328	2688	0706b35653551f23f4a80a3e4ff51b1b.exe	45
PID 2688 wrote to memory of 2328	2688	0706b35653551f23f4a80a3e4ff51b1b.exe	45
PID 2688 wrote to memory of 1700	2688	0706b35653551f23f4a80a3e4ff51b1b.exe	42
PID 2688 wrote to memory of 1700	2688	0706b35653551f23f4a80a3e4ff51b1b.exe	42
PID 2688 wrote to memory of 1700	2688	0706b35653551f23f4a80a3e4ff51b1b.exe	42
PID 2688 wrote to memory of 1700	2688	0706b35653551f23f4a80a3e4ff51b1b.exe	42
PID 2688 wrote to memory of 844	2688	0706b35653551f23f4a80a3e4ff51b1b.exe	41
PID 2688 wrote to memory of 844	2688	0706b35653551f23f4a80a3e4ff51b1b.exe	41
PID 2688 wrote to memory of 844	2688	0706b35653551f23f4a80a3e4ff51b1b.exe	41
PID 2688 wrote to memory of 844	2688	0706b35653551f23f4a80a3e4ff51b1b.exe	41
PID 844 wrote to memory of 1108	844	WINWORD.EXE	46
PID 844 wrote to memory of 1108	844	WINWORD.EXE	46
PID 844 wrote to memory of 1108	844	WINWORD.EXE	46
PID 844 wrote to memory of 1108	844	WINWORD.EXE	46

C:\Windows\SysWOW64\userinit.exe
C:\Windows\system32\userinit.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\SysWOW64\Explorer.exe
  Explorer.exe "C:\recycled\SVCHOST.exe"
  2⤵
  PID:2916

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2188

C:\recycled\SPOOLSV.EXE
C:\recycled\SPOOLSV.EXE :agent
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2660

C:\recycled\SPOOLSV.EXE
C:\recycled\SPOOLSV.EXE :agent
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1788

F:\recycled\SVCHOST.EXE
F:\recycled\SVCHOST.EXE :agent
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2400

C:\recycled\SVCHOST.EXE
C:\recycled\SVCHOST.EXE :agent
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2728

C:\recycled\SPOOLSV.EXE
C:\recycled\SPOOLSV.EXE :agent
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720

F:\recycled\SVCHOST.EXE
F:\recycled\SVCHOST.EXE :agent
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2696

C:\recycled\SVCHOST.EXE
C:\recycled\SVCHOST.EXE :agent
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2644

F:\recycled\SVCHOST.EXE
F:\recycled\SVCHOST.EXE :agent
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764

C:\recycled\SVCHOST.EXE
C:\recycled\SVCHOST.EXE :agent
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2824

C:\recycled\SVCHOST.EXE
C:\recycled\SVCHOST.EXE :agent
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2796

C:\Users\Admin\AppData\Local\Temp\0706b35653551f23f4a80a3e4ff51b1b.exe
"C:\Users\Admin\AppData\Local\Temp\0706b35653551f23f4a80a3e4ff51b1b.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0706b35653551f23f4a80a3e4ff51b1b.doc"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1108
- C:\recycled\SPOOLSV.EXE
  C:\recycled\SPOOLSV.EXE :agent
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1700
- F:\recycled\SVCHOST.EXE
  F:\recycled\SVCHOST.EXE :agent
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recycled\SPOOLSV.EXE

Filesize
45KB

MD5
e8f2ea5588fb104a28244a92f0908868

SHA1
06f0a9afd071c3378068a608a3d5b3a8373b3949

SHA256
4ce1a9425581e934f03356cf748e81a026ea89830cdaa912c5cffb774d3ff343

SHA512
b6cb070ec4dc5aa96693257a3240253ab2ca013ec70c437a9f8b64b13fd73548d9073c7256b94fa53e8f055376775b7a2c07195ed9ecd97a6035a4d9977f9302

Download Submit
C:\Recycled\SPOOLSV.EXE

Filesize
25KB

MD5
e60176c041d82b7a9e5af90499fce7d7

SHA1
0e5e0f738ae84089c1c6abaafecf45096e59b06e

SHA256
b124fdc587d6f57dead3b2b79edafec17f6cd5b44bbc71d7c1eb5a443f2b2336

SHA512
04eb4d9b85e177962198dd535901b7c849cd6c4a895abc6f161a74be159f2c472657245dbccbbc306a06a1450e2593219432b951d373d0cc8a60e449c09f9529

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
45KB

MD5
12725a5ecbb37a8acaa17f8120af4e16

SHA1
95074d1d576056f36778b4c665234f467966160e

SHA256
bb422477ed274dbbff4427a30aa66f1e5069e2c4a201e67079a26396db701887

SHA512
2bc942386c4d5930c046e27b935f74d7e576c4ea2d99be50226b07cceac6b2b25e82c2a28d597ad33cd0a3b907b8fa5eb0e9b56b4565e887c96f14520b9de1ff

Download Submit
C:\Recycled\SVCHOST.EXE

Filesize
7KB

MD5
182181a0d1ed7c889695a4d25d1e6637

SHA1
59aaba23af8267a52f2915e52a6a0414d786b48a

SHA256
a7f047ee997da3900aaef5eb92590c32b83208457482dca3c05ddd31834bd06e

SHA512
d9fd182c3f9c7cbd93adca6ae2f67328cb54a360012b73263b7d7739c342519ce9d68e328124c74013c124a267b13fc7b346f40cc03c8a298d69a6cc7e1d1ebb

Download Submit
C:\Recycled\desktop.ini

Filesize
65B

MD5
ad0b0b4416f06af436328a3c12dc491b

SHA1
743c7ad130780de78ccbf75aa6f84298720ad3fa

SHA256
23521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416

SHA512
884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
1KB

MD5
0269b6347e473980c5378044ac67aa1f

SHA1
c3334de50e320ad8bce8398acff95c363d039245

SHA256
68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

SHA512
e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

Download Submit
C:\begolu.txt

Filesize
2B

MD5
2b9d4fa85c8e82132bde46b143040142

SHA1
a02431cf7c501a5b368c91e41283419d8fa9fb03

SHA256
4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

SHA512
c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

Download Submit
F:\Recycled\SVCHOST.EXE

Filesize
45KB

MD5
c777e867ea47a64c270e34eb720d9d58

SHA1
466d1abf38aa9a521fad1420e858268b0e8fb8c2

SHA256
093773768c6a6cb7f6900cefd66304293459c1b42f4b24563d69deadc3ed06df

SHA512
ace9036e6f6d265a172912baf98a2a3a4f51e100f69ee5c858a1c450d10192a4323021f4197331ad9d8d185539ea225edfe915ec5df51075475f01b6fa0c6402

Download Submit
F:\Recycled\SVCHOST.EXE

Filesize
22KB

MD5
843afe93d6ab55befcb5923438e2c4f7

SHA1
3e7fd74fa417cdc80666f553eb0a6cc8195d0fc7

SHA256
38609f9caec3870fc5d588d0c66ceea84a76775d38789e69167d755d8d710b25

SHA512
12d5d81e872c2dee8611d7d6afc9ed7ab10c75d730d215e424e7c187699df706e316631811f5c9aa9d58956abc15473a6f58f32cdd668b923bd7752a07704462

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
19KB

MD5
935bd4f2d75fed5e8a6e53b50d1d222b

SHA1
c1f1d7a10f268c43a609aff937661a7af29d1714

SHA256
8e163e9fa9e67cec3e3999b2b84616578ee1a756245d56e81a5265d593342368

SHA512
53cfd39226b76d29764d7c1566dd8c0fbc890197898973d90ada3c7f1dc8686534fcffaf6c1143d915a017992df1e133c747a178638633b9f7622176ebdece60

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
20KB

MD5
91281bfff94814060bd02cf186eac4f0

SHA1
2795c373dc8dd2eba0d261af2512cbc61fd435ca

SHA256
1a8c249570647ed595501f804b6fcba1cc09925b37f2bf441aff805cd07869b8

SHA512
94580d9be2b66940136d6bc90cedf1f5c4fd2908d5863c6af0b796acf3f7f1a4ed7d0ca4b4d9e1642182711ca69ab0f678f731212fb726026e5ad970cb805fc1

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
16KB

MD5
eb8ab3e40bbbb0662a63b008a4bceaab

SHA1
dc54e5b75d58cb579c0c4dd956c66f11620e533e

SHA256
66bb121668e47831e2c7b1c5cd81f4edf35f7af5a01078b3712a4b15c001a56b

SHA512
b068803f70387b4e9e9805f5c4c6e7299be9a4ef4bc98d397d40561246ce4ed84c97566c89c50fd77103e259d63ffd880b563e29969668b88a8e5d764bf8ac8a

Download Submit
\Recycled\SVCHOST.EXE

Filesize
35KB

MD5
29c8a05a668288189b1fded8bcd879e6

SHA1
a08caf5d0815463c91b6e8152218341673390cdf

SHA256
ee31dd0bf916b48fa7d991878ecc579e42a7b7e2851f0249307e4533d08d9655

SHA512
203df44e9837b218c18920995cd691fa56642775fd1549074e676da8d643ef2207869db684b3c7b49b7e7a7b41659b236d47b3875db31e6abf8c9d7f38747c92

Download Submit
\Recycled\SVCHOST.EXE

Filesize
31KB

MD5
965292ced92c03acd35c119b6b2758fa

SHA1
29b73c17e793b57acdac2c04248ec669f6fccbe2

SHA256
b587d298ffd76d8f9fd1447d1bf7264bc828bb1d2d1b20ce0c73460741c9eefb

SHA512
9cff181a4ed75e07be6abea35caed1dfe3e842a3888262f5d51e944acd992f656ba83455df7c38a6c39fadac97f657083ce35b5b40684909d82d7a3e41fe73e9

Download Submit
memory/844-120-0x000000007172D000-0x0000000071738000-memory.dmp

Filesize
44KB

Download
memory/844-119-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/844-133-0x000000007172D000-0x0000000071738000-memory.dmp

Filesize
44KB

Download
memory/844-117-0x000000002FC11000-0x000000002FC12000-memory.dmp

Filesize
4KB

Download
memory/1700-114-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1788-91-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1788-88-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2328-106-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2328-110-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2400-86-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2400-84-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2644-52-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2644-55-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2660-99-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2688-25-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/2688-109-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/2688-118-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/2688-115-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2688-116-0x0000000004AF0000-0x0000000004AFC000-memory.dmp

Filesize
48KB

Download
memory/2688-105-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/2688-1-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2688-17-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/2696-57-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2696-61-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2720-67-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2720-82-0x00000000023E0000-0x00000000023FA000-memory.dmp

Filesize
104KB

Download
memory/2720-83-0x00000000023E0000-0x00000000023FA000-memory.dmp

Filesize
104KB

Download
memory/2728-73-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2728-76-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2764-51-0x00000000004A0000-0x00000000004BA000-memory.dmp

Filesize
104KB

Download
memory/2764-66-0x00000000004A0000-0x00000000004BA000-memory.dmp

Filesize
104KB

Download
memory/2764-43-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2796-26-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2796-34-0x00000000004E0000-0x00000000004FA000-memory.dmp

Filesize
104KB

Download
memory/2796-97-0x00000000004E0000-0x00000000004FA000-memory.dmp

Filesize
104KB

Download
memory/2796-98-0x00000000004E0000-0x00000000004FA000-memory.dmp

Filesize
104KB

Download
memory/2824-35-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2824-36-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download