Malware Analysis Report

2024-11-16 10:41

Sample ID 240603-21v38adb64
Target 7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941
SHA256 7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941

Threat Level: Known bad

The file 7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Detects executables packed with ASPack

Detects executables packed with ASPack

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Drops desktop.ini file(s)

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 23:03

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 23:03

Reported

2024-06-03 23:06

Platform

win7-20240221-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\recycled\SVCHOST.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\recycled\SPOOLSV.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" F:\recycled\SVCHOST.EXE N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Recycled\desktop.ini C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened for modification F:\Recycled\desktop.ini C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\T: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\U: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Y: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\G: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\H: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\M: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\K: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\J: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\O: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\R: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\E: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\E: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\L: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\N: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\S: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Q: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\X: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\U: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\X: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\K: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\P: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\M: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\V: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\O: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\Y: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\Z: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\I: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\W: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\K: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\L: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\I: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\W: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\N: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Q: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\T: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\I: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\N: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\E: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\P: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\S: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Z: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\P: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\V: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\G: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\R: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\S: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\V: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\G: C:\recycled\SVCHOST.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size" C:\recycled\SPOOLSV.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL\COMMAND C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size" C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ C:\recycled\SPOOLSV.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe" C:\recycled\SPOOLSV.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG\COMMAND C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" C:\recycled\SVCHOST.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2684 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe C:\recycled\SVCHOST.EXE
PID 2684 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe C:\recycled\SVCHOST.EXE
PID 2684 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe C:\recycled\SVCHOST.EXE
PID 2684 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe C:\recycled\SVCHOST.EXE
PID 2880 wrote to memory of 2532 N/A C:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2880 wrote to memory of 2532 N/A C:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2880 wrote to memory of 2532 N/A C:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2880 wrote to memory of 2532 N/A C:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2880 wrote to memory of 2600 N/A C:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2880 wrote to memory of 2600 N/A C:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2880 wrote to memory of 2600 N/A C:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2880 wrote to memory of 2600 N/A C:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2600 wrote to memory of 2548 N/A F:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2600 wrote to memory of 2548 N/A F:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2600 wrote to memory of 2548 N/A F:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2600 wrote to memory of 2548 N/A F:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2600 wrote to memory of 2472 N/A F:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2600 wrote to memory of 2472 N/A F:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2600 wrote to memory of 2472 N/A F:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2600 wrote to memory of 2472 N/A F:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2600 wrote to memory of 2488 N/A F:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2600 wrote to memory of 2488 N/A F:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2600 wrote to memory of 2488 N/A F:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2600 wrote to memory of 2488 N/A F:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2488 wrote to memory of 2424 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SVCHOST.EXE
PID 2488 wrote to memory of 2424 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SVCHOST.EXE
PID 2488 wrote to memory of 2424 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SVCHOST.EXE
PID 2488 wrote to memory of 2424 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SVCHOST.EXE
PID 2488 wrote to memory of 2836 N/A C:\recycled\SPOOLSV.EXE F:\recycled\SVCHOST.EXE
PID 2488 wrote to memory of 2836 N/A C:\recycled\SPOOLSV.EXE F:\recycled\SVCHOST.EXE
PID 2488 wrote to memory of 2836 N/A C:\recycled\SPOOLSV.EXE F:\recycled\SVCHOST.EXE
PID 2488 wrote to memory of 2836 N/A C:\recycled\SPOOLSV.EXE F:\recycled\SVCHOST.EXE
PID 2488 wrote to memory of 2800 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SPOOLSV.EXE
PID 2488 wrote to memory of 2800 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SPOOLSV.EXE
PID 2488 wrote to memory of 2800 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SPOOLSV.EXE
PID 2488 wrote to memory of 2800 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SPOOLSV.EXE
PID 2880 wrote to memory of 572 N/A C:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2880 wrote to memory of 572 N/A C:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2880 wrote to memory of 572 N/A C:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2880 wrote to memory of 572 N/A C:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2684 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe F:\recycled\SVCHOST.EXE
PID 2684 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe F:\recycled\SVCHOST.EXE
PID 2684 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe F:\recycled\SVCHOST.EXE
PID 2684 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe F:\recycled\SVCHOST.EXE
PID 2880 wrote to memory of 936 N/A C:\recycled\SVCHOST.EXE C:\Windows\SysWOW64\userinit.exe
PID 2880 wrote to memory of 936 N/A C:\recycled\SVCHOST.EXE C:\Windows\SysWOW64\userinit.exe
PID 2880 wrote to memory of 936 N/A C:\recycled\SVCHOST.EXE C:\Windows\SysWOW64\userinit.exe
PID 2880 wrote to memory of 936 N/A C:\recycled\SVCHOST.EXE C:\Windows\SysWOW64\userinit.exe
PID 2684 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe C:\recycled\SPOOLSV.EXE
PID 2684 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe C:\recycled\SPOOLSV.EXE
PID 2684 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe C:\recycled\SPOOLSV.EXE
PID 2684 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe C:\recycled\SPOOLSV.EXE
PID 936 wrote to memory of 2672 N/A C:\Windows\SysWOW64\userinit.exe C:\Windows\Explorer.EXE
PID 936 wrote to memory of 2672 N/A C:\Windows\SysWOW64\userinit.exe C:\Windows\Explorer.EXE
PID 936 wrote to memory of 2672 N/A C:\Windows\SysWOW64\userinit.exe C:\Windows\Explorer.EXE
PID 936 wrote to memory of 2672 N/A C:\Windows\SysWOW64\userinit.exe C:\Windows\Explorer.EXE
PID 2684 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2684 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2684 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2684 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe

"C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe"

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\Windows\SysWOW64\userinit.exe

C:\Windows\system32\userinit.exe

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.doc"

Network

N/A

Files

memory/2684-0-0x0000000000400000-0x000000000041A000-memory.dmp

F:\Recycled\SVCHOST.EXE

MD5 cc662b2f99a26b0f5bde01698547841c
SHA1 6a6a374a8dd575cb43415f4760a7c40132fd9299
SHA256 6ca9429c7aa89674bbe3d42d9f0fd4da6b4cb5eb3d4fa73a7afc939caa7e5436
SHA512 0957ac89e8f5c6ade5ad710d2c7f2ac12faa86e8e12efe68e4734f2bcc083d03ac804704f10b7112402942e60b00a07b029ebc13564c108b316213d2b64cf5f8

\Recycled\SVCHOST.EXE

MD5 d424ed0c48b8a9c3d06346dbd1c04247
SHA1 1e39ac95c86082f896b0a5e364e391024f62050d
SHA256 568c7bff606cd5ca0ecafd75686d0a97504e6efb3623ea12209620a19f87268d
SHA512 d7ea694024b377a680b0c41eede4f422091ec9d7af008641376f1885e312d48d88db69f7b80db321ee40fe6c91c1cd329905be2ffc263ed093e190974394f019

memory/2880-24-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2684-23-0x0000000000540000-0x000000000055A000-memory.dmp

memory/2684-22-0x0000000000540000-0x000000000055A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

MD5 0269b6347e473980c5378044ac67aa1f
SHA1 c3334de50e320ad8bce8398acff95c363d039245
SHA256 68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512 e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

memory/2532-33-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2880-36-0x0000000001D30000-0x0000000001D4A000-memory.dmp

memory/2880-39-0x0000000001D30000-0x0000000001D4A000-memory.dmp

memory/2600-46-0x00000000004A0000-0x00000000004BA000-memory.dmp

memory/2548-51-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2472-53-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2472-54-0x0000000000400000-0x000000000041A000-memory.dmp

\Recycled\SPOOLSV.EXE

MD5 f8427be60bf995e9133cbb756a9ef59b
SHA1 b20cece82dbdd00ce726d78a4310116ddd378e0b
SHA256 cd3767ee78afabf00163921c772e2c687c24046ccc609b4cce3d8ac35527b3ec
SHA512 84b3256a2bf657bafc80601c2b42eeb57347a2d6834b8f6f80fc0689403e45de65d1dc63fb8f77efa99d928aef75b951b66b73ca0b5e7f92e852eb8d23d5ddfb

memory/2600-57-0x00000000004A0000-0x00000000004BA000-memory.dmp

memory/2488-66-0x0000000000420000-0x000000000043A000-memory.dmp

memory/2424-69-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2836-73-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2836-77-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2488-78-0x0000000000420000-0x000000000043A000-memory.dmp

memory/2800-81-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2684-90-0x0000000000540000-0x000000000055A000-memory.dmp

memory/572-88-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1648-94-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2684-98-0x0000000000540000-0x000000000055A000-memory.dmp

memory/2684-97-0x0000000000540000-0x000000000055A000-memory.dmp

memory/2180-101-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2684-102-0x00000000041E0000-0x00000000041F0000-memory.dmp

memory/2684-103-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2312-104-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\begolu.txt

MD5 2b9d4fa85c8e82132bde46b143040142
SHA1 a02431cf7c501a5b368c91e41283419d8fa9fb03
SHA256 4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142
SHA512 c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 23:03

Reported

2024-06-03 23:05

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," F:\recycled\SVCHOST.EXE N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\recycled\SPOOLSV.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" F:\recycled\SVCHOST.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\recycled\SVCHOST.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\recycled\SPOOLSV.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" F:\recycled\SVCHOST.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\recycled\SVCHOST.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Recycled\desktop.ini C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened for modification F:\Recycled\desktop.ini C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\S: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\O: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\N: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\V: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Z: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\W: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\H: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\X: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\I: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\J: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Z: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\G: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\K: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\R: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\Q: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\V: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\S: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\R: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\M: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\Q: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\T: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\R: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\K: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\M: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\T: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\N: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\U: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\Z: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\H: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\L: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\G: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\E: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\W: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\O: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\P: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\G: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\L: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\Y: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\N: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\P: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\V: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\X: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\X: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
File opened (read-only) \??\S: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\H: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\T: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Y: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Q: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\K: F:\recycled\SVCHOST.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\Root\VFS\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\docicon.exe C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\*\QuickTip = "prop:Type;Size" C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\*\InfoTip = "prop:Type;Write;Size" C:\recycled\SPOOLSV.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG\COMMAND C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\*\TileInfo = "prop:Type;Size" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\*\InfoTip = "prop:Type;Write;Size" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\*\TileInfo = "prop:Type;Size" C:\recycled\SPOOLSV.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\*\QuickTip = "prop:Type;Size" C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\*\QuickTip = "prop:Type;Size" C:\recycled\SVCHOST.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL\COMMAND C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\*\TileInfo = "prop:Type;Size" C:\recycled\SVCHOST.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\*\TileInfo = "prop:Type;Size" C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\*\InfoTip = "prop:Type;Write;Size" C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\*\QuickTip = "prop:Type;Size" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\*\InfoTip = "prop:Type;Write;Size" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ C:\recycled\SVCHOST.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4684 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe C:\recycled\SVCHOST.EXE
PID 4684 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe C:\recycled\SVCHOST.EXE
PID 4684 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe C:\recycled\SVCHOST.EXE
PID 1204 wrote to memory of 5112 N/A C:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 1204 wrote to memory of 5112 N/A C:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 1204 wrote to memory of 5112 N/A C:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 1204 wrote to memory of 2108 N/A C:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 1204 wrote to memory of 2108 N/A C:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 1204 wrote to memory of 2108 N/A C:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2108 wrote to memory of 1832 N/A F:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2108 wrote to memory of 1832 N/A F:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2108 wrote to memory of 1832 N/A F:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2108 wrote to memory of 3984 N/A F:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2108 wrote to memory of 3984 N/A F:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2108 wrote to memory of 3984 N/A F:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2108 wrote to memory of 4992 N/A F:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2108 wrote to memory of 4992 N/A F:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2108 wrote to memory of 4992 N/A F:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 4992 wrote to memory of 396 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SVCHOST.EXE
PID 4992 wrote to memory of 396 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SVCHOST.EXE
PID 4992 wrote to memory of 396 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SVCHOST.EXE
PID 4992 wrote to memory of 1612 N/A C:\recycled\SPOOLSV.EXE F:\recycled\SVCHOST.EXE
PID 4992 wrote to memory of 1612 N/A C:\recycled\SPOOLSV.EXE F:\recycled\SVCHOST.EXE
PID 4992 wrote to memory of 1612 N/A C:\recycled\SPOOLSV.EXE F:\recycled\SVCHOST.EXE
PID 4992 wrote to memory of 4072 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SPOOLSV.EXE
PID 4992 wrote to memory of 4072 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SPOOLSV.EXE
PID 4992 wrote to memory of 4072 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SPOOLSV.EXE
PID 1204 wrote to memory of 1620 N/A C:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 1204 wrote to memory of 1620 N/A C:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 1204 wrote to memory of 1620 N/A C:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 4684 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe F:\recycled\SVCHOST.EXE
PID 4684 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe F:\recycled\SVCHOST.EXE
PID 4684 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe F:\recycled\SVCHOST.EXE
PID 4684 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe C:\recycled\SPOOLSV.EXE
PID 4684 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe C:\recycled\SPOOLSV.EXE
PID 4684 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe C:\recycled\SPOOLSV.EXE
PID 1204 wrote to memory of 2136 N/A C:\recycled\SVCHOST.EXE C:\Windows\SysWOW64\userinit.exe
PID 1204 wrote to memory of 2136 N/A C:\recycled\SVCHOST.EXE C:\Windows\SysWOW64\userinit.exe
PID 1204 wrote to memory of 2136 N/A C:\recycled\SVCHOST.EXE C:\Windows\SysWOW64\userinit.exe
PID 2136 wrote to memory of 4940 N/A C:\Windows\SysWOW64\userinit.exe C:\Windows\Explorer.EXE
PID 2136 wrote to memory of 4940 N/A C:\Windows\SysWOW64\userinit.exe C:\Windows\Explorer.EXE
PID 4684 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4684 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe

"C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.exe"

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

C:\Windows\SysWOW64\userinit.exe

C:\Windows\system32\userinit.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7553d1bda14b8d00b5df812187fdd95d68dc8deff4b2a93643fff7b3b3b9e941.doc" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.184:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 184.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 23.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

memory/4684-0-0x0000000000400000-0x000000000041A000-memory.dmp

F:\Recycled\SVCHOST.EXE

MD5 58c567389f85738af375c6320043b4c9
SHA1 beb0c5672fb6f585c554303482267739f1d1cee6
SHA256 cbbbada48bc2667d08eec0c4d0f1a166678ca76a88a8788036de22601e51e673
SHA512 15721fe7a232b473018aa68139022b873e27735b82e54c56bdb98ddc289d514d68e9ec591a9cecfb9544c91ad8a20968ffc66fc1c85abfefe2614a771611351f

memory/1204-17-0x0000000000400000-0x000000000041A000-memory.dmp

C:\Recycled\SVCHOST.EXE

MD5 91b0459331e2e87db95b7658c9257106
SHA1 4f2fdbac2a5f29ac767995dd9152e53edc102676
SHA256 177679f28a04fbd0bbfea390e39dce8a885c7cc2bad36e5e47aa6e27d6843a51
SHA512 246d77a9f0eeb2f217fd27be88705a730887dc8ad6c5d0e7690fbe7c26fac3d4f1cc1a7bbc21a2c5a61b74df5f56e6a0213dd7d7d50760f715d07d8ff07e9aff

C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

MD5 0269b6347e473980c5378044ac67aa1f
SHA1 c3334de50e320ad8bce8398acff95c363d039245
SHA256 68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512 e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

memory/5112-28-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2108-29-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1832-36-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1832-40-0x0000000000400000-0x000000000041A000-memory.dmp

memory/3984-43-0x0000000000400000-0x000000000041A000-memory.dmp

memory/4992-46-0x0000000000400000-0x000000000041A000-memory.dmp

C:\Recycled\SPOOLSV.EXE

MD5 9b759abe7a0d676f3ebbc88c98f7c9cf
SHA1 8e9de4b6e87654449c812c635deb5f2cb1bda317
SHA256 773381025fb0232f19ae2f75c4552ff1433a71d7afde4458172bbcec33d60664
SHA512 29f621317b7c11722acf21645f9c047d21c1f2519f3768d590306c97c2ef299453a0b3ae18bc30e93393beaeb8fdb59468eda3d46fa91d622192ae9dae8efc17

memory/396-55-0x0000000000400000-0x000000000041A000-memory.dmp

memory/396-59-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1612-60-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1612-61-0x0000000000400000-0x000000000041A000-memory.dmp

memory/4072-65-0x0000000000400000-0x000000000041A000-memory.dmp

memory/4072-66-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1620-71-0x0000000000400000-0x000000000041A000-memory.dmp

memory/816-73-0x0000000000400000-0x000000000041A000-memory.dmp

memory/816-76-0x0000000000400000-0x000000000041A000-memory.dmp

memory/4996-77-0x0000000000400000-0x000000000041A000-memory.dmp

memory/4996-80-0x0000000000400000-0x000000000041A000-memory.dmp

memory/4684-81-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1812-82-0x00007FFF98550000-0x00007FFF98560000-memory.dmp

memory/1812-85-0x00007FFF98550000-0x00007FFF98560000-memory.dmp

memory/1812-84-0x00007FFF98550000-0x00007FFF98560000-memory.dmp

memory/1812-86-0x00007FFF98550000-0x00007FFF98560000-memory.dmp

memory/1812-83-0x00007FFF98550000-0x00007FFF98560000-memory.dmp

memory/1812-87-0x00007FFF96100000-0x00007FFF96110000-memory.dmp

memory/1812-88-0x00007FFF96100000-0x00007FFF96110000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDA05E.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

C:\begolu.txt

MD5 2b9d4fa85c8e82132bde46b143040142
SHA1 a02431cf7c501a5b368c91e41283419d8fa9fb03
SHA256 4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142
SHA512 c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be