Malware Analysis Report

2025-01-06 09:16

Sample ID 240601-gdkczscd59
Target fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c
SHA256 fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c

Threat Level: Known bad

The file fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Detects executables packed with ASPack

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Detects executables packed with ASPack

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Drops desktop.ini file(s)

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Modifies Internet Explorer settings

Enumerates system info in registry

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 05:41

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 05:41

Reported

2024-06-01 05:43

Platform

win7-20240221-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," F:\recycled\SVCHOST.EXE N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" F:\recycled\SVCHOST.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\recycled\SVCHOST.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\recycled\SPOOLSV.EXE N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\recycled\SVCHOST.EXE N/A

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Recycled\desktop.ini C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened for modification F:\Recycled\desktop.ini C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Y: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Z: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened (read-only) \??\P: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\R: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\T: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\V: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\T: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened (read-only) \??\L: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\N: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\E: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\G: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\L: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\Q: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened (read-only) \??\G: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\H: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Y: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\O: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened (read-only) \??\N: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\X: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened (read-only) \??\I: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\M: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\O: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\W: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\M: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Q: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\R: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Z: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\S: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\Y: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened (read-only) \??\E: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\S: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\I: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\V: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened (read-only) \??\O: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\T: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\U: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\W: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\E: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\K: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\M: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened (read-only) \??\J: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\V: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\U: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened (read-only) \??\L: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\J: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\P: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened (read-only) \??\H: C:\recycled\SVCHOST.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size" C:\recycled\SVCHOST.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL\COMMAND C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size" C:\recycled\SPOOLSV.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe" C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size" C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ F:\recycled\SVCHOST.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2896 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe C:\recycled\SVCHOST.EXE
PID 2896 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe C:\recycled\SVCHOST.EXE
PID 2896 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe C:\recycled\SVCHOST.EXE
PID 2896 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe C:\recycled\SVCHOST.EXE
PID 2472 wrote to memory of 2520 N/A C:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2472 wrote to memory of 2520 N/A C:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2472 wrote to memory of 2520 N/A C:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2472 wrote to memory of 2520 N/A C:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2472 wrote to memory of 2792 N/A C:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2472 wrote to memory of 2792 N/A C:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2472 wrote to memory of 2792 N/A C:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2472 wrote to memory of 2792 N/A C:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2792 wrote to memory of 2592 N/A F:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2792 wrote to memory of 2592 N/A F:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2792 wrote to memory of 2592 N/A F:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2792 wrote to memory of 2592 N/A F:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2792 wrote to memory of 2628 N/A F:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2792 wrote to memory of 2628 N/A F:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2792 wrote to memory of 2628 N/A F:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2792 wrote to memory of 2628 N/A F:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2792 wrote to memory of 2364 N/A F:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2792 wrote to memory of 2364 N/A F:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2792 wrote to memory of 2364 N/A F:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2792 wrote to memory of 2364 N/A F:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2364 wrote to memory of 2876 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SVCHOST.EXE
PID 2364 wrote to memory of 2876 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SVCHOST.EXE
PID 2364 wrote to memory of 2876 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SVCHOST.EXE
PID 2364 wrote to memory of 2876 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SVCHOST.EXE
PID 2364 wrote to memory of 644 N/A C:\recycled\SPOOLSV.EXE F:\recycled\SVCHOST.EXE
PID 2364 wrote to memory of 644 N/A C:\recycled\SPOOLSV.EXE F:\recycled\SVCHOST.EXE
PID 2364 wrote to memory of 644 N/A C:\recycled\SPOOLSV.EXE F:\recycled\SVCHOST.EXE
PID 2364 wrote to memory of 644 N/A C:\recycled\SPOOLSV.EXE F:\recycled\SVCHOST.EXE
PID 2364 wrote to memory of 572 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SPOOLSV.EXE
PID 2364 wrote to memory of 572 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SPOOLSV.EXE
PID 2364 wrote to memory of 572 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SPOOLSV.EXE
PID 2364 wrote to memory of 572 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SPOOLSV.EXE
PID 2472 wrote to memory of 1916 N/A C:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2472 wrote to memory of 1916 N/A C:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2472 wrote to memory of 1916 N/A C:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2472 wrote to memory of 1916 N/A C:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2896 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe F:\recycled\SVCHOST.EXE
PID 2896 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe F:\recycled\SVCHOST.EXE
PID 2896 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe F:\recycled\SVCHOST.EXE
PID 2896 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe F:\recycled\SVCHOST.EXE
PID 2472 wrote to memory of 2700 N/A C:\recycled\SVCHOST.EXE C:\Windows\SysWOW64\userinit.exe
PID 2472 wrote to memory of 2700 N/A C:\recycled\SVCHOST.EXE C:\Windows\SysWOW64\userinit.exe
PID 2472 wrote to memory of 2700 N/A C:\recycled\SVCHOST.EXE C:\Windows\SysWOW64\userinit.exe
PID 2472 wrote to memory of 2700 N/A C:\recycled\SVCHOST.EXE C:\Windows\SysWOW64\userinit.exe
PID 2896 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe C:\recycled\SPOOLSV.EXE
PID 2896 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe C:\recycled\SPOOLSV.EXE
PID 2896 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe C:\recycled\SPOOLSV.EXE
PID 2896 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe C:\recycled\SPOOLSV.EXE
PID 2700 wrote to memory of 1664 N/A C:\Windows\SysWOW64\userinit.exe C:\Windows\Explorer.EXE
PID 2700 wrote to memory of 1664 N/A C:\Windows\SysWOW64\userinit.exe C:\Windows\Explorer.EXE
PID 2700 wrote to memory of 1664 N/A C:\Windows\SysWOW64\userinit.exe C:\Windows\Explorer.EXE
PID 2700 wrote to memory of 1664 N/A C:\Windows\SysWOW64\userinit.exe C:\Windows\Explorer.EXE
PID 2896 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2896 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2896 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2896 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe

"C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe"

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\Windows\SysWOW64\userinit.exe

C:\Windows\system32\userinit.exe

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.doc"

Network

N/A

Files

memory/2896-0-0x0000000000400000-0x000000000041A000-memory.dmp

F:\Recycled\SVCHOST.EXE

MD5 8e1b10c7e1e50c4fe85cdb1864a5a73d
SHA1 7b8bde9b5d26e87afe890ee7a25cf5e300f0dba7
SHA256 8455a6c893ac05087e0c185a2950efa3205e397560fdd6c43c4b657901d4bbd3
SHA512 008f021902141f1e43c56149bdc71db940fe897ba2e58ba35716e5950c6477a0f7355d521215c530d5be3e79516f74abbc370d14f02dca16e89843d20b167a35

\Recycled\SVCHOST.EXE

MD5 b7b0f76351134540dd6c1a768b8d161f
SHA1 992fb326344dda87818991b5eebc6e6083105fbb
SHA256 9d91e22e358fa941a2bb9ab2e5fb23af07e0ff853f44738c5619d5bf3b780b02
SHA512 efda314e1301fe0448e59a771622b233181c73dd6d356086195382c408dab319c1125a2474193a12a16f79b2ecd41b57bda29afb8f1a2d48f3ada97d282b4035

memory/2896-17-0x0000000000460000-0x000000000047A000-memory.dmp

memory/2472-24-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2896-23-0x0000000000460000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

MD5 0269b6347e473980c5378044ac67aa1f
SHA1 c3334de50e320ad8bce8398acff95c363d039245
SHA256 68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512 e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

memory/2520-32-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2520-37-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2472-38-0x00000000024B0000-0x00000000024CA000-memory.dmp

memory/2472-41-0x00000000024B0000-0x00000000024CA000-memory.dmp

memory/2792-48-0x0000000002570000-0x000000000258A000-memory.dmp

memory/2628-55-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2592-54-0x0000000000400000-0x000000000041A000-memory.dmp

\Recycled\SPOOLSV.EXE

MD5 e0b8ab1f8464997a9020aa24aad27489
SHA1 107cd2088257064adaa1d6344696bfc8b3f58715
SHA256 47b8b0eb4c83a0a86348f8b341bd1ce51e84d633086572e9f759b519fe2696c3
SHA512 1c67980938d73bac5345d48db993f851f42178f7b813b4d712158de62fab56ce2814f9733f00f8c3bff7899cfa52a379e941c0ae774afb199764ff86a1b3bc2f

memory/2364-64-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2792-63-0x0000000002570000-0x000000000258A000-memory.dmp

memory/2628-60-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2364-72-0x00000000005C0000-0x00000000005DA000-memory.dmp

memory/2876-76-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2364-79-0x00000000005C0000-0x00000000005DA000-memory.dmp

memory/644-84-0x0000000000400000-0x000000000041A000-memory.dmp

memory/572-87-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1916-94-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2472-93-0x00000000024B0000-0x00000000024CA000-memory.dmp

memory/1916-95-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2596-101-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2712-104-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2712-107-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2896-108-0x00000000041B0000-0x00000000041C0000-memory.dmp

memory/2896-110-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2896-109-0x0000000000460000-0x000000000047A000-memory.dmp

memory/1128-111-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\begolu.txt

MD5 2b9d4fa85c8e82132bde46b143040142
SHA1 a02431cf7c501a5b368c91e41283419d8fa9fb03
SHA256 4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142
SHA512 c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

memory/2472-141-0x0000000000400000-0x000000000041A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 05:41

Reported

2024-06-01 05:43

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," C:\recycled\SVCHOST.EXE N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\recycled\SVCHOST.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\recycled\SPOOLSV.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" F:\recycled\SVCHOST.EXE N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\recycled\SPOOLSV.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" F:\recycled\SVCHOST.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\recycled\SVCHOST.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Recycled\desktop.ini C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened for modification F:\Recycled\desktop.ini C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Q: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened (read-only) \??\K: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\G: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Y: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\M: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\T: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Y: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\L: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\T: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\H: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\G: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\P: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\T: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\U: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\V: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Z: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\G: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\R: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened (read-only) \??\N: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\X: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened (read-only) \??\J: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\L: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\R: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\W: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\J: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\S: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\S: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\E: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\R: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\X: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened (read-only) \??\I: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Q: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\E: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\J: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\Z: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened (read-only) \??\N: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\O: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\N: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\P: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\U: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\V: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\U: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\V: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
File opened (read-only) \??\H: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Q: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\I: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\E: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\L: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\S: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\W: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\X: F:\recycled\SVCHOST.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\Root\VFS\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\docicon.exe C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\*\TileInfo = "prop:Type;Size" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\*\TileInfo = "prop:Type;Size" C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\*\TileInfo = "prop:Type;Size" C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\*\InfoTip = "prop:Type;Write;Size" C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\*\QuickTip = "prop:Type;Size" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\*\QuickTip = "prop:Type;Size" C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\*\InfoTip = "prop:Type;Write;Size" C:\recycled\SPOOLSV.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\*\InfoTip = "prop:Type;Write;Size" F:\recycled\SVCHOST.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG\COMMAND C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\*\QuickTip = "prop:Type;Size" C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\*\QuickTip = "prop:Type;Size" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\*\TileInfo = "prop:Type;Size" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\*\InfoTip = "prop:Type;Write;Size" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" C:\recycled\SPOOLSV.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Windows\Explorer.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL\COMMAND C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" C:\recycled\SPOOLSV.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4244 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe C:\recycled\SVCHOST.EXE
PID 4244 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe C:\recycled\SVCHOST.EXE
PID 4244 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe C:\recycled\SVCHOST.EXE
PID 2792 wrote to memory of 2788 N/A C:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2792 wrote to memory of 2788 N/A C:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2792 wrote to memory of 2788 N/A C:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2792 wrote to memory of 2028 N/A C:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2792 wrote to memory of 2028 N/A C:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2792 wrote to memory of 2028 N/A C:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2028 wrote to memory of 3576 N/A F:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2028 wrote to memory of 3576 N/A F:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2028 wrote to memory of 3576 N/A F:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2028 wrote to memory of 5100 N/A F:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2028 wrote to memory of 5100 N/A F:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2028 wrote to memory of 5100 N/A F:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2028 wrote to memory of 2232 N/A F:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2028 wrote to memory of 2232 N/A F:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2028 wrote to memory of 2232 N/A F:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2232 wrote to memory of 1192 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SVCHOST.EXE
PID 2232 wrote to memory of 1192 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SVCHOST.EXE
PID 2232 wrote to memory of 1192 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SVCHOST.EXE
PID 2232 wrote to memory of 2024 N/A C:\recycled\SPOOLSV.EXE F:\recycled\SVCHOST.EXE
PID 2232 wrote to memory of 2024 N/A C:\recycled\SPOOLSV.EXE F:\recycled\SVCHOST.EXE
PID 2232 wrote to memory of 2024 N/A C:\recycled\SPOOLSV.EXE F:\recycled\SVCHOST.EXE
PID 2232 wrote to memory of 4780 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SPOOLSV.EXE
PID 2232 wrote to memory of 4780 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SPOOLSV.EXE
PID 2232 wrote to memory of 4780 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SPOOLSV.EXE
PID 2792 wrote to memory of 3104 N/A C:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2792 wrote to memory of 3104 N/A C:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2792 wrote to memory of 3104 N/A C:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 4244 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe F:\recycled\SVCHOST.EXE
PID 4244 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe F:\recycled\SVCHOST.EXE
PID 4244 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe F:\recycled\SVCHOST.EXE
PID 4244 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe C:\recycled\SPOOLSV.EXE
PID 4244 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe C:\recycled\SPOOLSV.EXE
PID 4244 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe C:\recycled\SPOOLSV.EXE
PID 2792 wrote to memory of 4940 N/A C:\recycled\SVCHOST.EXE C:\Windows\SysWOW64\userinit.exe
PID 2792 wrote to memory of 4940 N/A C:\recycled\SVCHOST.EXE C:\Windows\SysWOW64\userinit.exe
PID 2792 wrote to memory of 4940 N/A C:\recycled\SVCHOST.EXE C:\Windows\SysWOW64\userinit.exe
PID 4940 wrote to memory of 1104 N/A C:\Windows\SysWOW64\userinit.exe C:\Windows\Explorer.EXE
PID 4940 wrote to memory of 1104 N/A C:\Windows\SysWOW64\userinit.exe C:\Windows\Explorer.EXE
PID 4244 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4244 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe

"C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe"

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\Windows\SysWOW64\userinit.exe

C:\Windows\system32\userinit.exe

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.doc" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.162:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 162.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 23.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/4244-0-0x0000000000400000-0x000000000041A000-memory.dmp

F:\Recycled\SVCHOST.EXE

MD5 1cd2737f081571cd162070c70d0564af
SHA1 d5bcb147edb8b9530a5312cf72fe186b0c5e13fd
SHA256 7d7c9e71930dd68439ee58adf1cb3f56a02238b73dc5e854de1a957b31eaa500
SHA512 37cf4fd84eb4bee4bb2133ad5fd2873914f45e69ca13d9a09c0590f0efc9411d1b96c94a2756225badb021de2056a2b8694d220780f148180cab230430e64d5a

C:\Recycled\SVCHOST.EXE

MD5 f1551f244c0b734ae4ecfb8752d3a404
SHA1 e49bd54b4385dc68fc3bd6adba47961eee0c0e26
SHA256 8e77d830fe73e31dab5aca0e247d01e135ce73e782777ba1fe8ba5104f587e93
SHA512 a5c9fd40a685893b675d5fc1fcc181b1d107d5a711824030e35262b8136b13b17af8999caa4117e022b25bedd7c76fd19d056aa9e3afd2b41fef9307a2545207

memory/2792-17-0x0000000000400000-0x000000000041A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

MD5 0269b6347e473980c5378044ac67aa1f
SHA1 c3334de50e320ad8bce8398acff95c363d039245
SHA256 68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512 e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

memory/2788-26-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2028-30-0x0000000000400000-0x000000000041A000-memory.dmp

memory/3576-36-0x0000000000400000-0x000000000041A000-memory.dmp

memory/3576-41-0x0000000000400000-0x000000000041A000-memory.dmp

memory/5100-43-0x0000000000400000-0x000000000041A000-memory.dmp

C:\Recycled\SPOOLSV.EXE

MD5 ced0ce2a797c70ecda4d6ef101831fdd
SHA1 0f8d92e4e7d9ed454c9913050c5523094cb6574b
SHA256 89de7d4bb5ac99754f1f4ec44505773d0939ae8d1bb03d1dda81fc52af6b2102
SHA512 8ee458e9f95f95b5a436c4bcfb6bd17ec50c8f9a2e76633a5485c0787e6d6c29251c581ac5034b66f4acf7eb4df3b2b045b87890db374a57ee37c2773dca203c

memory/2232-48-0x0000000000400000-0x000000000041A000-memory.dmp

memory/5100-50-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1192-57-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2024-58-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2024-64-0x0000000000400000-0x000000000041A000-memory.dmp

memory/4780-65-0x0000000000400000-0x000000000041A000-memory.dmp

memory/4780-66-0x0000000000400000-0x000000000041A000-memory.dmp

memory/3104-68-0x0000000000400000-0x000000000041A000-memory.dmp

memory/3104-71-0x0000000000400000-0x000000000041A000-memory.dmp

memory/3028-75-0x0000000000400000-0x000000000041A000-memory.dmp

memory/3028-77-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1264-80-0x0000000000400000-0x000000000041A000-memory.dmp

memory/4244-81-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1620-82-0x00007FFD7C790000-0x00007FFD7C7A0000-memory.dmp

memory/1620-85-0x00007FFD7C790000-0x00007FFD7C7A0000-memory.dmp

memory/1620-84-0x00007FFD7C790000-0x00007FFD7C7A0000-memory.dmp

memory/1620-86-0x00007FFD7C790000-0x00007FFD7C7A0000-memory.dmp

memory/1620-83-0x00007FFD7C790000-0x00007FFD7C7A0000-memory.dmp

memory/1620-87-0x00007FFD7A570000-0x00007FFD7A580000-memory.dmp

memory/1620-88-0x00007FFD7A570000-0x00007FFD7A580000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

C:\begolu.txt

MD5 2b9d4fa85c8e82132bde46b143040142
SHA1 a02431cf7c501a5b368c91e41283419d8fa9fb03
SHA256 4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142
SHA512 c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be