Malware Analysis Report

2025-08-10 23:21

Sample ID 241117-kfmgxaznbq
Target b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e
SHA256 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e
Tags
discovery evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e

Threat Level: Known bad

The file b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies visibility of file extensions in Explorer

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Enumerates connected drives

Drops desktop.ini file(s)

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Enumerates system info in registry

Checks processor information in registry

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 08:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 08:32

Reported

2024-11-17 08:35

Platform

win7-20240903-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," C:\recycled\SVCHOST.EXE N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\recycled\SPOOLSV.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" F:\recycled\SVCHOST.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\recycled\SVCHOST.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Recycled\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened for modification F:\Recycled\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\G: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\E: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\M: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\K: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Q: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\W: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\S: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Q: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\Q: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\R: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Y: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\V: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\E: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\R: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\U: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\H: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\M: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\P: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\R: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\H: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\K: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\O: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\V: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\O: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\W: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\I: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\J: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\N: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\O: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\U: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\E: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\I: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\L: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\P: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\T: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\U: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\V: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\Z: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\T: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Z: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\G: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\J: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\L: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\L: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\M: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\X: C:\recycled\SPOOLSV.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F:\recycled\SVCHOST.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F:\recycled\SVCHOST.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\recycled\SVCHOST.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F:\recycled\SVCHOST.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\userinit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\recycled\SPOOLSV.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\recycled\SVCHOST.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\recycled\SVCHOST.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\recycled\SPOOLSV.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\recycled\SVCHOST.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\recycled\SPOOLSV.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\recycled\SPOOLSV.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F:\recycled\SVCHOST.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL\COMMAND C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size" C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe" C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size" C:\recycled\SPOOLSV.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size" C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe" C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG\COMMAND C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size" C:\recycled\SPOOLSV.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2096 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe C:\recycled\SVCHOST.EXE
PID 2096 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe C:\recycled\SVCHOST.EXE
PID 2096 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe C:\recycled\SVCHOST.EXE
PID 2096 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe C:\recycled\SVCHOST.EXE
PID 2528 wrote to memory of 2736 N/A C:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2528 wrote to memory of 2736 N/A C:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2528 wrote to memory of 2736 N/A C:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2528 wrote to memory of 2736 N/A C:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2528 wrote to memory of 2892 N/A C:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2528 wrote to memory of 2892 N/A C:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2528 wrote to memory of 2892 N/A C:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2528 wrote to memory of 2892 N/A C:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2892 wrote to memory of 2312 N/A F:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2892 wrote to memory of 2312 N/A F:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2892 wrote to memory of 2312 N/A F:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2892 wrote to memory of 2312 N/A F:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2892 wrote to memory of 2916 N/A F:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2892 wrote to memory of 2916 N/A F:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2892 wrote to memory of 2916 N/A F:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2892 wrote to memory of 2916 N/A F:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2892 wrote to memory of 1980 N/A F:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2892 wrote to memory of 1980 N/A F:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2892 wrote to memory of 1980 N/A F:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2892 wrote to memory of 1980 N/A F:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 1980 wrote to memory of 2604 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SVCHOST.EXE
PID 1980 wrote to memory of 2604 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SVCHOST.EXE
PID 1980 wrote to memory of 2604 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SVCHOST.EXE
PID 1980 wrote to memory of 2604 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SVCHOST.EXE
PID 1980 wrote to memory of 2680 N/A C:\recycled\SPOOLSV.EXE F:\recycled\SVCHOST.EXE
PID 1980 wrote to memory of 2680 N/A C:\recycled\SPOOLSV.EXE F:\recycled\SVCHOST.EXE
PID 1980 wrote to memory of 2680 N/A C:\recycled\SPOOLSV.EXE F:\recycled\SVCHOST.EXE
PID 1980 wrote to memory of 2680 N/A C:\recycled\SPOOLSV.EXE F:\recycled\SVCHOST.EXE
PID 1980 wrote to memory of 2332 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SPOOLSV.EXE
PID 1980 wrote to memory of 2332 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SPOOLSV.EXE
PID 1980 wrote to memory of 2332 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SPOOLSV.EXE
PID 1980 wrote to memory of 2332 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SPOOLSV.EXE
PID 2528 wrote to memory of 1108 N/A C:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2528 wrote to memory of 1108 N/A C:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2528 wrote to memory of 1108 N/A C:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2528 wrote to memory of 1108 N/A C:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2096 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe F:\recycled\SVCHOST.EXE
PID 2096 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe F:\recycled\SVCHOST.EXE
PID 2096 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe F:\recycled\SVCHOST.EXE
PID 2096 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe F:\recycled\SVCHOST.EXE
PID 2528 wrote to memory of 2024 N/A C:\recycled\SVCHOST.EXE C:\Windows\SysWOW64\userinit.exe
PID 2528 wrote to memory of 2024 N/A C:\recycled\SVCHOST.EXE C:\Windows\SysWOW64\userinit.exe
PID 2528 wrote to memory of 2024 N/A C:\recycled\SVCHOST.EXE C:\Windows\SysWOW64\userinit.exe
PID 2528 wrote to memory of 2024 N/A C:\recycled\SVCHOST.EXE C:\Windows\SysWOW64\userinit.exe
PID 2096 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe C:\recycled\SPOOLSV.EXE
PID 2096 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe C:\recycled\SPOOLSV.EXE
PID 2096 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe C:\recycled\SPOOLSV.EXE
PID 2096 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe C:\recycled\SPOOLSV.EXE
PID 2096 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2096 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2096 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2096 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2024 wrote to memory of 1896 N/A C:\Windows\SysWOW64\userinit.exe C:\Windows\SysWOW64\Explorer.exe
PID 2024 wrote to memory of 1896 N/A C:\Windows\SysWOW64\userinit.exe C:\Windows\SysWOW64\Explorer.exe
PID 2024 wrote to memory of 1896 N/A C:\Windows\SysWOW64\userinit.exe C:\Windows\SysWOW64\Explorer.exe
PID 2024 wrote to memory of 1896 N/A C:\Windows\SysWOW64\userinit.exe C:\Windows\SysWOW64\Explorer.exe
PID 2364 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2364 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2364 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2364 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe

"C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe"

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\Windows\SysWOW64\userinit.exe

C:\Windows\system32\userinit.exe

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.doc"

C:\Windows\SysWOW64\Explorer.exe

Explorer.exe "C:\recycled\SVCHOST.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2096-0-0x0000000000400000-0x000000000041A000-memory.dmp

F:\Recycled\SVCHOST.EXE

MD5 1b07795f006bc30deffc46ea42308fc8
SHA1 f468797e9c1dc664d868389ae07dd16e5c02110b
SHA256 9f362d37e12aceee3234f09b6819ff1554e46e0552df39f50b07b158ad436cb7
SHA512 d320c2511fda706885a5a274a52b3dd73c81e2bc8f87b0b1de5e146a8981b21f426ca269fa74d401d71b0ff41cb5836a4432bb857b601f78ff13e2e085c45c0a

\Recycled\SVCHOST.EXE

MD5 1ef33fe05131f9a92875b7d8b240580a
SHA1 9049fe32c791b0229581db3a82f29a3e02c8c5c8
SHA256 47e54753d47b99f5ff7ffc8a7ed6cffdef95421ab9c3f777fc1c22fb33e193b1
SHA512 c9322e2189b6306a677169d31ed8bccddf897df2bf838adc6edeaebfa15496d56ab44d9c078f1ead1370b9c15cdcb9a8ab51b37133432f33cf785d5af5c750a9

memory/2528-24-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2096-23-0x0000000003960000-0x000000000397A000-memory.dmp

memory/2096-22-0x0000000003960000-0x000000000397A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

MD5 0269b6347e473980c5378044ac67aa1f
SHA1 c3334de50e320ad8bce8398acff95c363d039245
SHA256 68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512 e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

memory/2736-32-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2736-35-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2892-40-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2892-47-0x00000000004E0000-0x00000000004FA000-memory.dmp

memory/2312-51-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2916-56-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2892-59-0x00000000004E0000-0x00000000004FA000-memory.dmp

\Recycled\SPOOLSV.EXE

MD5 02cf194c8a5c5d42feba4290fa25770d
SHA1 23ecff4101bf855b19c154dba8217590a47f6c1e
SHA256 abb3ff529c29ccb83e6919701e4248dadf8597e1106ea7fbe2871dbcec2ad07a
SHA512 7471199a8f7bb1f7f6ebb812573e98e17c3fcf61b0098c6d4b7f55d013e3e6f1756c9719a5b5a8c1566820e7c3adefacb19d36b4c6e0559b15cb9d161324bb21

memory/1980-62-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2604-70-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2680-80-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1980-79-0x00000000003D0000-0x00000000003EA000-memory.dmp

memory/2604-78-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2680-83-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1980-82-0x00000000003D0000-0x00000000003EA000-memory.dmp

memory/2332-89-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1108-93-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1108-96-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2564-103-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2820-106-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2096-107-0x0000000004760000-0x000000000476C000-memory.dmp

memory/2096-108-0x0000000000400000-0x000000000041A000-memory.dmp

C:\Recycled\desktop.ini

MD5 ad0b0b4416f06af436328a3c12dc491b
SHA1 743c7ad130780de78ccbf75aa6f84298720ad3fa
SHA256 23521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416
SHA512 884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56

memory/2364-110-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\begolu.txt

MD5 2b9d4fa85c8e82132bde46b143040142
SHA1 a02431cf7c501a5b368c91e41283419d8fa9fb03
SHA256 4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142
SHA512 c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

memory/2528-164-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2892-168-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2892-176-0x00000000004E0000-0x00000000004FA000-memory.dmp

memory/1980-177-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1980-178-0x00000000003D0000-0x00000000003EA000-memory.dmp

memory/1980-182-0x00000000003D0000-0x00000000003EA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-17 08:32

Reported

2024-11-17 08:35

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," C:\recycled\SPOOLSV.EXE N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\recycled\SPOOLSV.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" F:\recycled\SVCHOST.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\recycled\SVCHOST.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" F:\recycled\SVCHOST.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\recycled\SVCHOST.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\recycled\SPOOLSV.EXE N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Recycled\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened for modification F:\Recycled\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\V: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\V: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Y: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\T: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\R: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\I: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\J: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\N: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\O: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\W: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Z: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\R: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Y: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\G: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\Z: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Y: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\L: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\S: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\E: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\G: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\E: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\T: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\Z: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\J: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\H: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Q: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\X: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\U: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\W: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\K: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\M: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\P: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\P: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\I: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\Q: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\G: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\K: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\O: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\R: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\S: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\N: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\P: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\U: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\V: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\I: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\M: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
File opened (read-only) \??\T: C:\recycled\SVCHOST.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\Root\VFS\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\docicon.exe C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\recycled\SVCHOST.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F:\recycled\SVCHOST.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\recycled\SVCHOST.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F:\recycled\SVCHOST.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\recycled\SPOOLSV.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\recycled\SVCHOST.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\recycled\SPOOLSV.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\recycled\SPOOLSV.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\recycled\SVCHOST.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F:\recycled\SVCHOST.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\recycled\SPOOLSV.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F:\recycled\SVCHOST.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\userinit.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\*\TileInfo = "prop:Type;Size" C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\*\QuickTip = "prop:Type;Size" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\*\TileInfo = "prop:Type;Size" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\*\InfoTip = "prop:Type;Write;Size" C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\*\QuickTip = "prop:Type;Size" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ F:\recycled\SVCHOST.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\*\InfoTip = "prop:Type;Write;Size" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\*\QuickTip = "prop:Type;Size" C:\recycled\SPOOLSV.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL\COMMAND C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\*\TileInfo = "prop:Type;Size" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\*\TileInfo = "prop:Type;Size" C:\recycled\SPOOLSV.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" C:\recycled\SVCHOST.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\*\QuickTip = "prop:Type;Size" C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\*\InfoTip = "prop:Type;Write;Size" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\*\InfoTip = "prop:Type;Write;Size" C:\recycled\SPOOLSV.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG\COMMAND C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2816 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe C:\recycled\SVCHOST.EXE
PID 2816 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe C:\recycled\SVCHOST.EXE
PID 2816 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe C:\recycled\SVCHOST.EXE
PID 5024 wrote to memory of 2548 N/A C:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 5024 wrote to memory of 2548 N/A C:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 5024 wrote to memory of 2548 N/A C:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 5024 wrote to memory of 1216 N/A C:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 5024 wrote to memory of 1216 N/A C:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 5024 wrote to memory of 1216 N/A C:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 1216 wrote to memory of 320 N/A F:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 1216 wrote to memory of 320 N/A F:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 1216 wrote to memory of 320 N/A F:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 1216 wrote to memory of 736 N/A F:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 1216 wrote to memory of 736 N/A F:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 1216 wrote to memory of 736 N/A F:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 1216 wrote to memory of 1052 N/A F:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 1216 wrote to memory of 1052 N/A F:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 1216 wrote to memory of 1052 N/A F:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 1052 wrote to memory of 3056 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SVCHOST.EXE
PID 1052 wrote to memory of 3056 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SVCHOST.EXE
PID 1052 wrote to memory of 3056 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SVCHOST.EXE
PID 1052 wrote to memory of 3300 N/A C:\recycled\SPOOLSV.EXE F:\recycled\SVCHOST.EXE
PID 1052 wrote to memory of 3300 N/A C:\recycled\SPOOLSV.EXE F:\recycled\SVCHOST.EXE
PID 1052 wrote to memory of 3300 N/A C:\recycled\SPOOLSV.EXE F:\recycled\SVCHOST.EXE
PID 1052 wrote to memory of 4644 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SPOOLSV.EXE
PID 1052 wrote to memory of 4644 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SPOOLSV.EXE
PID 1052 wrote to memory of 4644 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SPOOLSV.EXE
PID 5024 wrote to memory of 1844 N/A C:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 5024 wrote to memory of 1844 N/A C:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 5024 wrote to memory of 1844 N/A C:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2816 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe F:\recycled\SVCHOST.EXE
PID 2816 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe F:\recycled\SVCHOST.EXE
PID 2816 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe F:\recycled\SVCHOST.EXE
PID 2816 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe C:\recycled\SPOOLSV.EXE
PID 2816 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe C:\recycled\SPOOLSV.EXE
PID 2816 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe C:\recycled\SPOOLSV.EXE
PID 5024 wrote to memory of 4760 N/A C:\recycled\SVCHOST.EXE C:\Windows\SysWOW64\userinit.exe
PID 5024 wrote to memory of 4760 N/A C:\recycled\SVCHOST.EXE C:\Windows\SysWOW64\userinit.exe
PID 5024 wrote to memory of 4760 N/A C:\recycled\SVCHOST.EXE C:\Windows\SysWOW64\userinit.exe
PID 4760 wrote to memory of 3044 N/A C:\Windows\SysWOW64\userinit.exe C:\Windows\SysWOW64\Explorer.exe
PID 4760 wrote to memory of 3044 N/A C:\Windows\SysWOW64\userinit.exe C:\Windows\SysWOW64\Explorer.exe
PID 4760 wrote to memory of 3044 N/A C:\Windows\SysWOW64\userinit.exe C:\Windows\SysWOW64\Explorer.exe
PID 2816 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2816 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe

"C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe"

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

C:\Windows\SysWOW64\userinit.exe

C:\Windows\system32\userinit.exe

C:\Windows\SysWOW64\Explorer.exe

Explorer.exe "C:\recycled\SVCHOST.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.doc" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 92.123.26.202:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
GB 23.73.138.202:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 202.26.123.92.in-addr.arpa udp
US 8.8.8.8:53 202.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/2816-0-0x0000000000400000-0x000000000041A000-memory.dmp

F:\Recycled\SVCHOST.EXE

MD5 36f9f47e33492c80a28858ef1d599e91
SHA1 a5dde8b82852194cf38fa341455e1c936b2de12f
SHA256 71831469a233d4b9337438a53ee21cb917a269d0a657d0b86d5664611006c490
SHA512 ae4d35b0cf32bbf7525c0ba425f00015b9d6349a9f9bcd91149554e06938e70144ea30ccb249aa95258c8e3b25fb4ff56f7777f69d3917564dca1c49e0c7a64c

C:\Recycled\SVCHOST.EXE

MD5 7d5bc6e1aac6191214fdd38ccbbc3566
SHA1 c7f085ecd5c8f9d3a4213b3b7396bacbad5afc13
SHA256 bb2350a7c50fc510c5504653bf5eeeb1eb7cc123efd0bc89c3f4aa52515063df
SHA512 fa22625b2831cc69b4a4142306bc3a9de91f06a020389e63ba79a45db053fdc4f4e26d31e4481775b78c21ca268229ae9c3c3f7f1456cccc383737093228ef73

memory/5024-18-0x0000000000400000-0x000000000041A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

MD5 0269b6347e473980c5378044ac67aa1f
SHA1 c3334de50e320ad8bce8398acff95c363d039245
SHA256 68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512 e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

memory/2548-29-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1216-30-0x0000000000400000-0x000000000041A000-memory.dmp

memory/736-40-0x0000000000400000-0x000000000041A000-memory.dmp

memory/320-39-0x0000000000400000-0x000000000041A000-memory.dmp

memory/736-43-0x0000000000400000-0x000000000041A000-memory.dmp

C:\Recycled\SPOOLSV.EXE

MD5 73245931ac95aaace1168bbfc943830f
SHA1 1321389d467c034a7bf7adf9d1fde6a5601e05b8
SHA256 16b07171633b79e315654b0f7c3c9692f984a4cd5f06a03948a2d71d1ce3981c
SHA512 100056c247b8332868875b1e6f869341c46f6f2cc8ed1905216795adf1115ab3916b8872b6358b7cfd672feb40cecf9699345d54e1bf9a78c9590cd6ee107ae7

memory/1052-46-0x0000000000400000-0x000000000041A000-memory.dmp

memory/3056-56-0x0000000000400000-0x000000000041A000-memory.dmp

memory/3300-60-0x0000000000400000-0x000000000041A000-memory.dmp

memory/4644-63-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1844-67-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1844-68-0x0000000000400000-0x000000000041A000-memory.dmp

memory/3384-72-0x0000000000400000-0x000000000041A000-memory.dmp

memory/3384-74-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2960-77-0x0000000000400000-0x000000000041A000-memory.dmp

C:\Recycled\desktop.ini

MD5 ad0b0b4416f06af436328a3c12dc491b
SHA1 743c7ad130780de78ccbf75aa6f84298720ad3fa
SHA256 23521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416
SHA512 884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56

memory/4244-79-0x00007FFED5050000-0x00007FFED5060000-memory.dmp

memory/2816-80-0x0000000000400000-0x000000000041A000-memory.dmp

memory/4244-82-0x00007FFED5050000-0x00007FFED5060000-memory.dmp

memory/4244-81-0x00007FFED5050000-0x00007FFED5060000-memory.dmp

memory/4244-84-0x00007FFED5050000-0x00007FFED5060000-memory.dmp

memory/4244-83-0x00007FFED5050000-0x00007FFED5060000-memory.dmp

memory/4244-85-0x00007FFED2800000-0x00007FFED2810000-memory.dmp

memory/4244-86-0x00007FFED2800000-0x00007FFED2810000-memory.dmp

C:\begolu.txt

MD5 2b9d4fa85c8e82132bde46b143040142
SHA1 a02431cf7c501a5b368c91e41283419d8fa9fb03
SHA256 4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142
SHA512 c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

C:\Users\Admin\AppData\Local\Temp\TCD94.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

memory/5024-653-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1216-654-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1052-661-0x0000000000400000-0x000000000041A000-memory.dmp